Chapter 5 


The Insurance Relationship 


The activities of the nation’s 4,700 insurance companies touch the lives 
of all Americans in a variety of ways. Two out of three Americans have life 
insurance protection;! 90 percent of the civilian population under age 65 is 
covered by individual or group health insurance policies;? and 15 million 
are covered by the pension plans that life insurers offer.3 It is estimated that 
almost 90 percent of the registered automobiles in the country are insured,4 
and few homes are without insurance coverage. In 1975, the premiums 
_ Americans paid for life, health, and pension coverage amounted to $58.6 

billion® and property and liability insurance premiums amounted to another 
$50 billion.® The companies, for their part, paid out an estimated $75 billion 
in claims and policyholder benefits.” 

The central function of insurance is to spread the economic burden of 
unforeseen financial losses by using the premiums paid by many insureds to 
pay for the losses sustained by a few. Some forms of insurance protection are 
mandated by law or business practice. For example, a number of States 
require car owners to carry auto insurance. Mortgage lenders require 
borrowers to carry fire insurance. Contractors are required to provide surety 
bonds to protect their clients against failures to perform and some fields of 
employment require fidelity bonds. Other forms of insurance, such as life, 
health, malpractice, and product and other liability coverages, are virtually 
mandatory in the minds of many people. Indeed, the cost and availability of 
insurance influence the character of society as well as the economy. It 
affects personal lives, life-styles, and even living standards. 

Because the chief functions of an insurer—underwriting and rating 
risks and paying claims—are decision-making processes that involve 
evaluations of people and their property, the insurance industry is among 





1 American Council of Life Insurance, Life Insurance Fact Book, (New York: American 
Council of Life Insurance, 1976), p- 9. 


? Health Insurance Institute, The Source Book of Health Insurance Data 1974 - 1975, (New 
York: Health Insurance Institute, 1975), p. 19. 

9 American Council of Life Insurance, op. cit., p. 38. 

* Automobile Insurance Plan Services Organization, AIPSO Insurance Facts for 1977, (New 
York: Automobile Insurance Plan Services Organization, 1977), p. 4. 

5 American Council of Life Insurance, op. cit., p. 55. 4 


® Insurance Information Institute, Insurance Facts, (New York: Insurance Information 
Institute, 1976), p. 12. 


T American Council of Life Insurance, op. cit., pp. 9 and 52; information obtained orally from 
A.M. Best and Co. 


CamScanner 


156 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


society’s largest gatherers and users of information about individuals. This 
chapter reports the results of the Commission’s inquiry into the personal- 
data record-keeping practices of insurance companies and the support 
organizations that provide them with various services, including record 
keeping. 

The chapter begins with a short description of the industry, its sources 
of information about individuals, and the role that support organizations 
play in gathering and disseminating such information. This is followed by an 
examination of the way records about an individual affect his place in the 
insurance relationship today, and of the problems industry record-keeping 
practices pose from a privacy protection viewpoint. Finally, after summariz. 
ing current legal restraints on the record-keeping practices of insurance 
institutions and support organizations, the Commission, in the last section, 
presents and explains its specific recommendations for change. As in other 
chapters of this report the Commission’s recommendations are arranged in 
terms of its three recommended public-policy objectives: (1) to minimize 
intrusiveness; (2) to maximize fairness; and (3) to create a legitimate, 
enforceable expectation of confidentiality. 


INSURANCE INSTITUTIONS AND SUPPORT ORGANIZATIONS 


There are essentially two types of insurance companies: stock 
companies owned by shareholders and mutual companies owned by 
policyholders. (Blue Cross and Blue Shield are nonprofit associations which 
policyholders join.) Although the largest life insurance companies are of the 
mutual type, the total amount of life insurance protection in force is about 
equally divided between stock and mutual companies. In the property and 
liability insurance business, the largest company is also a mutual company, 
but stock companies account for over 70 percent of premium volume. 

Multiple-line insurance institutions are those with affiliate companies 
writing both life and health and property and liability coverages. The largest 
property and liability insurers are affiliates of multiple-line institutions, as 
are the largest life insurers since the expansion of some mutual companies 


. Into property and liability lines. 


Companies sell insurance in four ways: by direct mail; through an 
exclusive agent; through an independent agent; or through a broker. While 


_ the exclusive agent represents only one company, the independent agent 


may have agreements with several companies, and the broker is a legal 
representative of his clients rather than the companies with which he places 
business. Agents are paid commissions or fees by companies rather than by 
clients. For simplicity of discussion, however, all will here be referred to a$ 
agents. ; 

From a privacy protection viewpoint, insurers differ more significantly 
in terms of product line than they do in terms of ownership and company 
Structure. The application form for the simpler types of life and health 
insurance sold by direct mail typically asks for little information. Name, 
address, age, sex, occupation, a statement certifying that the-applicant has 
not had certain illnesses within a stated period of time and is currently in 


CamScanner 


The Insurance Relationship 157 


good health, and the beneficiary’s name usually suffice. This is possible 
because policies sold by direct mail are relatively small ones, the population 
buying them is comparatively large, and they tend to be for limited 
coverages. Thus, the spread of risk of illness and death on which the 
premium rates are predicated is maintained. 

In contrast, insurance sold through agents typically requires more 
information from and about the applicant and other insureds. Such 
coverages tend to be broader, more varied, and often need to be tailored to 
the particular needs of the applicant. Of all insurance sold through agents, 
the type requiring the least personal information is group insurance, which is 
underwritten on an aggregate rather than an individual basis, i.e., over time 
the premium rate is determined by the illness and death experience of the 
entire group. 

Because the experience of large groups is statistically more reliable, the 
experience of many small groups may often be combined in determining 
premium rates. Doing so, however, demands more care in offering group 
insurance to smaller firms than in offering it to larger ones, lest the people in 
low-risk groups inadvertently subsidize those in high-risk ones. Care is also 
exercised in soliciting large accounts, but only as to the aggregate mix of 
occupations or other gross characteristics of the members of the group. 
Thus, while group insurance by its nature is markedly less dependent on 
information about the individual than on any other types of insurance, the 
amount of detail that can be dispensed with will depend on the size of the 
group involved, 

As to individual life, health, and property and liability insurance that 
is sold through agents, the amount of information collected about individual 
applicants and insureds can be extensive. Moreover, the way it is collected, 
used, and disclosed is somewhat different in life and health underwriting 
than in property and liability underwriting. These differences, and the 
privacy protection problems they create, are principal themes of this 
chapter. 


LIFE AND HEALTH INSURERS 


Life and health insurers and their agents have different reasons for 
collecting and using information about individuals than property and 
liability insurers. In the first place, people often have to be persuaded to buy 
life insurance, whereas there is a ready market for property and liability 
coverage. Moreover, because life insurance is often sold as part of a package 
of financial planning services offered by agents, a life insurance prospect 
may be asked to divulge much information about himself even before the 
application is completed. For example, when insurance is used in estate 
building or estate conservation, the agent collects detailed information 


689 CamScanner 


158 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


about the prospect’s net worth, income, career prospects, and personal 
goals. When business life insurance® is being considered, extensive informa- 
tion about the financial condition of the firm or its principals is required. As 
a result, some life insurance agents have more comprehensive knowledge 
about a client’s financial affairs than perhaps anyone else. 

Most importantly, life insurance is a contract which binds a company 
to pay claims or benefits unless the policyholder fails to pay premiums when 
due, or unless the company can prove fraud or material misrepresentation 
during a limited “contestable period,” generally two years after which a 
claim must be paid even if the application turns out to have been fraudulent, 
Thus, before entering into such a contract, the insurer wants an accurate 
health history, often supplemented by a medical examination to determine 
current health status, financial status information to protect against 
overinsurance, and enough information about personal habits to judge 
whether they might shorten the applicant’s life. If the applicant has a 
significant health impairment, he is subjected to an extensive underwritin 
investigation to determine whether insurance can be issued to him, and if so, 
at what rate. 

With most individual health insurance, there is less pressure to gather 
information about the applicant than in life insurance. Unless an individual 
health policy is the type that is not cancelable, the company can protect 
itself by increasing the price or declining to renew coverage at expiration. 
(Some health policies are guaranteed renewable but with the understanding 
that the company may increase the price at the time of renewal.) 
Nonetheless, detailed medical-record information is gathered in order to 
decide whether to accept the risk in the first instance, and how much to 
charge. Medical-record information is also an obvious consideration in 
writing disability insurance. Because these coverages are more susceptible 

than life insurance to abuse by insureds, companies want information 
- concerning an applicant’s character and his propensity for a disabling 
accident or illness. Occupation is also an important consideration—the loss 
of a finger is more disabling for a surgeon than a businessman—and the 
amount of disability income protection provided needs to be related to 
earned income. 

The applicant and agent are the primary sources of information in 
underwriting life and health insurance. Because each has a financial interest 
in seeing the sale completed, however, investigative-reporting agencies 
(inspection bureaus) and other outside sources are often used to check the 
accuracy and completeness of the information applicants and agents 
provide. The types of inquiries these investigations typically involve and the 
manner in which inspection bureaus conduct them are described in Chapter 
8. Here it is enough to point out that they can involve contacts with 
neighbors, employers, associates, bankers; and creditors; reviews of medical 


§ Business life insurance is life insurance purchased for the benefit of the business itself, e.g.: 
(1) to indemnify the business for the loss of a key employee; (2) as a source of funds to buy back 
or purchase ownership of a firm upon the death of a partner or key employee; or (3) as a source 


of funds in order to discharge financial responsibility pursuant to a contractual agreement. 


CamScanner 


The Insurance Relationship 159 


records obtained from doctors or hospitals; and checks of public records for 
evidence of financial or legal difficulties. 

Life and health insurers and investigative-reporting agencies acting on 
their behalf often contact third-party sources that have a confidential 
relationship with the applicant or insured, such as doctors, accountants, or 
lawyers, and thus an authorization is required before the information can be 
released. Typically, an applicant is required to sign such an authorization as 
a condition of having his application considered; is informed, as required by 
the Fair Credit Reporting Act (FCRA),? that an investigative report may be 
obtained; and is notified that information may be reported to the Medical 
Information Bureau (see below). 

Normally, life insurance and medical expense claims are paid when a 
death certificate or medical bills are submitted. Claims for disability-income 
benefits are verified with the claimant’s physician and employer and may be 
investigated more thoroughly if the claim appears questionable. The 
insurer’s need for medical-record information in processing claims and the 
issues it raises for public policy on the confidentiality of the medical-care 
relationship are discussed in Chapter 7. 


The Medical Information Bureau (MIB) 


Like credit grantors, life and health insurers have organizations whose 
record-keeping services allow them to learn something about an applicant’s 
previous contacts with other companies in the industry. The Medical 
Information Bureau (MIB) is an unincorporated, nonprofit trade associa- 
tion set up to facilitate the exchange of medical-record information among 
life insurers. Nearly 700 U.S. and Canadian life insurers subscribe to it and 
use it as an important source of information in underwriting life and health 
policies and in processing life and health claims.1° 

Each member company agrees to send the MIB a code anytime it 
develops information on an individual concerning certain medical and other 
conditions of some underwriting significance, except that companies are no 
longer supposed to report information developed in processing a claim. 
These codes are maintained by the MIB for seven years. Typically, a 
member company, on receiving an application, asks the MIB to check its 
files for information on the individual. If a code is found, it is sent to the 
inquiring company, which may then seek further details from the company 
that originally reported it, provided, however, that the inquiring company 
has first conducted its own investigation (e.g., a medical examination) to 
verify the reported condition. These “requests for details,” which must be 
channeled through the MIB, are limited to 15 percent of the number of 
reports each company has submitted within the past year.!! In 1975, there 





® Fair Credit Reporting Act, 15 U.S.C. 1681 ef seq. 

10 Written statement of the Medical Information Bureau (hereinafter cited as “MIB"), 
Insurance Records, Hearings before the Privacy Protection Study Commission, May 19, 1976, p- 
11 (hereinafter cited as “Insurance Records Hearings”). 

11 Ibid., pp. 5-6. . y 


f- 


689 CamScanner 


160 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


were 75,000 of them out of a possible 300,000. !2 

The MIB does not investigate on its own, nor does it attempt to verify 
any information reported to it.!3 MIB Rule 9 specifies that member 
companies must report information regardless of the manner or form in 
which they acquire it.14 Because many life insurers are also health insurers, 
information discovered in the course of health as well as life underwriting 
may thus be reported to the Bureau. oe 

About 95 percent of the coded information contained in the MIB files 
is considered to be “medical.” Only five percent is classified as nonmedical 
information, such as “reckless driving,” “aviation,” or “hazardous sport.”15 
_ Currently, the MIB maintains information on 11 million individuals. 
Approximately three percent of all life applicants are uninsurable while six 
percent are “ratable.”"16 In 1975, member companies submitted 2.45 million 
reports to the MIB,!7 and 17.5 million requests for information, while the 
MIB sent out 3.6 million responses.'8 

The Medical Information Bureau has been a controversial organiza- 
tion ever since its existence came to public attention in the mid-1960’s. One 
of the most controversial aspects has been its use of the so-called nonmedical 
codes. In testimony before the Commission, the Bureau’s Executive Director 
and General Counsel identified five: (1) reckless driving confirmed by the 
proposed insured or by official State or provincial (Canadian) motor vehicle 
bureau reports; (2) aviation with the proposed insured only as the source; 
(3) hazardous sport with the proposed insured only as the source; (4) 
nonmedical information where the source is not a consumer report (i.e., an 
inspection bureau report); and (5) nonmedical information received from a 
consumer report and not confirmed by the proposed insured.!9 He told the 
Commission that the fifth nonmedical code (nonmedical information 
received from a consumer report) could only refer to reckless driving, 
aviation, and hazardous sport and would not give life-style information.20 In 
a letter sent to the Commission later, however, he states that “further review 
of MIB coding instructions shows that these nonspecific codes may also be 





12 Ibid. 

#8 According to the report of a.1975 interview with then MIB Executive Director, Joseph C. 
Wilberding, the information companies were reporting to the Bureau came from the following 
sources: 33 percent from physicians, hospitals, or medical Organizations; 15 percent from 
Inspection bureau reports; and 53 percent from insurance forms filled out by the applicant 
himself or by the insurance agent, or from medical exams required by the companies. Mark 
Reutter, “Private Medical Records Aren’t So Secret,” Baltimore Sun, July 13, 1975, “Trend” 
Section, pp. 1-4. . 

*4 MIB, “General Rules,” Handbook and Directory, 1971, Rule 9. Since the Privacy Protection 
Study Commission hearings, the MIB has changed its rules. Rule 9 has been replaced by Rule 
D.2, which states that: “Underwriting information involving any impairments listed in the MIB 

€ Book and received by members from original medical or other sources, from official 
L » or from the applicant during the course of an application for personal life or 
health insurance must be Teported to MIB regardless of the underwniting decision.” 


15 Written stat : 
. Ibid. p, . €ment of the MIB, pane Records Hearings, May 19, 1976, p- 10. 


17 Tbid., p. 4. 
18 Tbid., p. 5. 


19 Testim ; ? 
2 ie mea the MIB, Insurance Records Hearings, May 19, 1976, pp. 236 - 38. 


89 CamScanner 


The Insurance Relationship 161 


used to report other types of nonmedical information, such as ‘age,’ 
‘environment,’ ‘foreign residence or travel,’ ‘occupation,’ and ‘finances.””2! 

Another object of controversy has been a code for reporting 
information about an individual’s health, which, because of source, does not 
conform to the definition of medical-record information in the Fair Credit 
Reporting Act, i.c., information obtained from licensed physicians or 
medical practitioners, hospitals, clinics, or other medical or medically 
related facilities. {75 U.S.C. 1681a(i)] Such information could be reported in 
one of two ways. First, it could be reported by noting the specific code for 
the condition involved together with an additional symbol indicating that 
the information does not come within the FCRA definition.22 Or second, as 
indicated in Executive Director Day’s letter, it could be reported by using a 
code for “medical information received from a consumer report, not 
confirmed by the proposed insured or medical facility. . . .”2% 

On October 28, 1976, some months after the discussion of these 
matters in the Commission’s hearings, the MIB informed the Commission 
that it was proposing the following changes to its code list. First, it was 
deleting three codes: (1) nonmedical information where the source is not a 
consumer report; (2) nonmedical information received from a consumer 
report not confirmed by the proposed insured; and (3) medical information 
received from a consumer report not confirmed by the proposed insured or a 
medical facility. The MIB assured the Commission that in the future 
“medical impairments may be reported only if information or records are 
received from the applicant or from licensed physicians, hospitals, clinics, or 
other medical or medically related facilities.” It further stated that the three 
eliminated codes “will no longer be transmitted to member companies and 
will be purged or subjected to a ‘no report order.’”24 

Second, the remaining nonmedical codes (reckless driving, aviation, 
and hazardous sport confirmed by the proposed insured) may now only be 
reported to the MIB if such activity has occurred within the three years 
preceding the application at hand.” This was in response to the complaint 
that very old information could get into MIB files; that the practice of 
purging information reported more than seven years ago does not mean that 
all events or conditions coded in MIB records occurred within the previous 
seven years. For example, a reckless driving conviction that occurred 20 
years ago could be noted in MIB records if a company reported it within the 
previous seven years. 

Finally, the MIB also proposed to change the code which reports 
medical information obtained from a Federal agency to read “medical 
information obtained from a Federal medical source.”26 

A further source of controversy has been that codes dropped in the 





21 Letter from Neil M. Day, Executive Director and General Counsel, MIB, to the Privacy 
Protection Study Commission , September 30, 1976. 

?? Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 279; Letter from 
Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, p. 4. 

23 Letter from Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, p. 4. 


7 i from Neil M. Day, MIB, to the Privacy Commission, October 28, 1976, p. 4. 
id. 


26 Ibid. 


CamScanner 


162 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


past, as far as reporting requirements were concerned, are nonetheless still in 
the MIB file and thus can still be reported to MIB members. In reaction to 
this criticism, the MIB informed the Commission that the following 
discontinued codes will be purged or subjected to a “no report order”: 
“information obtained through a disability or health claim,’ ‘nonconformi- 
ty,” ‘age,’ ‘environment,’ ‘foreign residence or travel,’ ‘occupation,’ insur- 
ance hazard,’ and ‘finances,’ and, of course, the three nonmedical codes 
mentioned above.?7 

Finally, the entire MIB system is predicated on the rule that the 
receiving company may not base an adverse underwriting decision on the 
information received from the MIB, but must make its own independent 
investigation.?§ Rule 14 reads: 


The information received through the Bureau shall not be used in 
whole or in part for the purpose of serving as a factor in establishing 
an applicant’s eligibility for insurance. 


The application of this rule means that: (a) an application for 
insurance shall never be denied nor shall any charge therefore be 
increased wholly or partly because of information received through 
the Bureau and (b) all information received through the Bureau 
shall only be used as an alert signal.29 


MIB’s Executive Director told the Commission that “. . . Rule 14 is strictly 
adhered to by members who are regularly visited under the Company Visit 


. Program.”3° When questioned, however, he agreed that the requirement to 


conduct an independent investigation may mean simply going to an 
investigative agency and getting old information that was once before the 
basis for an MIB report.3! (Presumably this problem will be alleviated by 
the proposed elimination of inspection bureaus as authorized sources of 
certain types of information.) As to the Company Visit Program, moreover, 
it became apparent that Rule 14 may not be as strictly observed as the MIB 
would like to believe. 

From time to time MIB staff members visit member companies to 
make certain that underwriters understand the Bureau’s rules and to check 
on compliance with them.32 A typical visit includes a check and review of 
the member’s security arrangements and an “audit” of 20 randomly selected 
files.33 Two major kinds of violations are looked for: (1) requests for details 
on MIB codes that have been submitted without first conducting the 


27 Ibid., p.5. 

28 Written Statement of the MIB, Insurance Records Hearings, May 19, 1976, p. 5. 

¥ MIB, “General Rules,” Handbook and Directory, 1971, Rule 14. This is now Rule D.4, 
which reads: “Underwriting information received from MIB shall be used to alert members of 
the need for further investigation of the applicants insurability. In the interest of sound 
underwriting and to avoid unfair competitive practices in the underwriting of risks, MIB record 
information shall not be used as the basis for establishing an applicant’s eligibility for 
insurance.” MIB, “General Rules,” 1977, Rule D.4., 

. Wnitten statement of the MIB, Insurance Records Hearings, May 19, 1976, p. 13. 

? Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 250. 


32 Written stat : 
a bite PIG ement of the MIB, Insurance Records Hearings, May 19, 1976, p.7. 





“ 


< 


ra 


89 CamScanner 


The Insurance Relationship 163 


required independent investigation; and (2) adverse underwriting decisions 
that have been made solely on the basis of an MIB code (i.e., violations of 
Rule 14).34 In a letter following his hearing testimony, the Executive 
Director told the Commission that in 1975, “161 member companies were 
visited and 3,200 underwriting files were examined. . .,” but that “in fact 
only fifteen violations [of Rule 14]” were discovered.3° Since the MIB sends 
out 3.5 million positive responses to company queries each year this means, 
if the sampling procedures permit such extrapolation, that overall there were 
approximately 15,000 violations of Rule 14 in 1975. 

The efficacy of the investigation procedure was also questioned by the 
Commission. Each year the Company Visit Program looks at about 3,000 
files (three companies per week, 150 companies per year, 20 files per 
company).36 Because companies may have several regional offices, however, 
and because at the rate of 150 companies per year it would take five years to 
cover all the members, a considerable amount of slippage could go 
undetected. 

Thus, in response to the Commission’s expression of concern, the MIB 
has proposed the following changes. Each MIB member will now be 
required to adopt formal procedures to protect the confidentiality of MIB 
information. In addition, starting in 1977, each member must conduct at 
least annually “a self-audit program to determine whether it has complied 
with MIB’s constitution and rules and whether its internal procedures have 
protected the . . . confidentiality of MIB information.” In addition, the 

‘MIB investigation program, “will be expanded during the course of 1977 to 
include review of the results of members’ self-audits.” Such a review will 
include an on-premise inspection of internal procedures instituted by 
companies to implement certain aspects of MIB policy.37 

Whether this voluntary program will be effective remains to be seen. 
The Commission, however, took the proposed changes into account in 
making its recommendations regarding insurance institutions and support 
organizations and believes that it has also found several ways of reinforcing 
the MIB initiative. 


The Impairment Bureau 


The Impairment Bureau, a service of the National Insurance Associa- 
tion, is another support organization that exists solely to facilitate communi- 
cation among life and health insurers. The Impairment Bureau, however, 
differs from the Medical Information Bureau in several important respects. 

In the first place, the Impairment Bureau’s membership is much 
smaller and while all of its member companies may forward information to 
it, only five do so on a regular basis. Second, information about an 
individual is only sent to the Impairment Bureau when his application has 
been declined. Third, each member regularly receives a report on every 





¥4 Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 235. 
35 Letter from Neil M. Day, MIB, to the Privacy Commission, September 30, 1976, pp. 2, 5. 
36 Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 245-47. 

_ 3 Letter from Neil M. Day, MIB, to the Privacy Commission, October 28, 1976, pp. 1-3. 


CamScanner 


a 
nS 


164 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


declination reported to the Bureau without having to ask for information on 
any particular individual. The Bureau compiles the information it receives 
on sheets which contain approximately 60 entries per page. Each entry 
contains the name of the applicant, his date and place of birth, the date of 
the rejection, a coded entry representing the cause of the declination, a 
coded entry representing the name of the reporting company, and the city 
and State where the applicant resides. This information, on approximately 
2,000 declined applicants a year, is sent every other month to all member 
companies. 

Like MIB records, Impairment Bureau records contain some informa- 
tion on conditions other than medical ones. Unlike the MIB, however, the 
Impairment Bureau does not have any specific rules to govern the use of the 
information it disseminates to member companies or the functioning of the 
Impairment Bureau itself. Each company may use the declination informa- 
tion as it sees fit and could, for instance, decline an applicant on the basis of 
the previous declination alone. On the other hand, the Impairment Bureau 
does not retain copies of the information submitted to it and has not done SO 
since 1964. It merely compiles and distributes information to its members on 
the basis of the reports it gets from them. Once it has performed this 
function, the incoming reports are destroyed.38 


PROPERTY AND LIABILITY INSURERS 


In contrast to most life insurers, a property and liability insurance 
company has a ready market among people concerned about the replace- 
ment cost of tangible assets or about protecting themselves against liability 
claims brought by others. A Property and liability company, moreover, can 
increase the price charged a policyholder or effectively cancel the risk by 
declining to renew coverage at the expiration of each contract period. Yet, 
as in the case of life and health insurance, detailed information is needed to 
decide whether to accept the risk in the first instance and how much to 
charge. 

With property insurance, the items to be insured need to be identified 
accurately and valued, and the degree of care taken to protect them against 
fire, theft, or loss established. Since these coverages are also susceptible to 
abuse and fraud, the company wants to know enough about an applicant to 
make a reasonably confident estimate of his probable loss characteristics. 
Because liability insurance protects a policyholder against legal damages he 
may incur through negligence, underwriters consider it important to know, 
in the case of homeowners coverage, whether his home is well maintained 
and reasonably free of hazards, or to know, in the case of automobile 
insurance, whether he and others regularly using the car are responsible 
drivers. Although the applicant and agent are again primary sources of such 


ee 

38 This description of the Impairment Bureau is based on a letter from Charles A. Davis, 
Executive Director, National Insurance Association, to the Privacy Commission, May 17, 1976; 
and a Privacy Commission staff interview with Clarise Hall, National Insurance Association, 
August 27, 1976, 


689 CamScanner 


-— 


The Insurance Relationship 165 


information, a company often checks the information they provide through 
an inspection bureau report or other sources considered more impartial. 

The types of information needed to underwrite automobile insurance 
include name, address, date of birth, marital status, sex, occupation, driver’s 
license number, use of vehicle, any physical impairments, how long licensed 
(if less than three years), and information regarding any accident or moving 
traffic violations in the past three years. State motor vehicle department ° 
records are often checked to verify the driving record of the applicant and 
members of his family. Some companies also require a physician’s statement 
for elderly or physically impaired drivers. Finally, automobile underwriters 
sometimes order an investigative report on an applicant to find out whether 
his character, mode of living, and reputation in the community, may, in the 


judgment of the underwriter, influence the frequency of claims or the 


applicant’s “defendability” in court. In other words, these reports are used 
by an auto insurer to determine whether the premium at which a policy may 
be issued is the correct one, but also, if highly derogatory information is 
uncovered, whether the policy should be issued, or if it has already been 
issued, whether it should be renewed. 

For underwriting other forms of personal property and liability 
insurance, such as homeowners’ policies, personal property floaters, fire 
policies, and boat policies, information requirements vary widely. To 
prepare and issue homeowners and fire policies, for example, the informa- 
tion required would include type of construction, age of dwelling, and 
distance to the nearest fire hydrant and fire department. For certain 
properties, an appraisal of their value may be required. 

Information is, of course, also sought in the settlement of property and 
liability claims. Usually, this involves no other contact beyond the insured, 
the police or fire authorities, and the repair concerns involved in placing the 
property back in its original condition. Where the policy covers bodily 
injuries, however, contact may be made with the attending physician, the 
hospital, or other providers of medical services regarding the nature and 
extent of the injuries and the reasonableness of fees charged for services. In 
those few situations involving suspected fraud, the investigative activity may 
involve more extensive interviewing which can include witnesses, discus- 
sions with local law enforcement officials, and securing other background 
information that may be necessary to prepare for an effective defense if the 
claim is denied. | 

The investigation of claims or losses to determine the policyholder’s 
liability to others (i.e., “third-party claims”) will generally result in greater 
information gathering. A very detailed and complete investigation will 
frequently be made to determine the insured’s responsibility for injury or 
damage and the degree or extent of such injury or damage. The role of 
inspection bureaus and private investigative agencies in the settlement of 
property and liability claims is briefly described in Chapter 8. 


P 


THe Loss INDEXES ~ 


In the processing of claims, the indexes of the American Insurance 


CamScanner 


166 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


Association (AIA) may be checked to determine whether the claimant has 
had a series of prior losses or is submitting claims for the same loss to other 
companies. These indexes cover fire, burglary and theft, and fine arts losses, 
as well as third-party personal or bodily injury claims arising under 
automobile, homeowners, malpractice, and worker’s compensation poli- 
cies.39 Many property and liability companies in the industry subscribe to 
the loss indexes. When a claim is filed, the insurer reports basic information 
on the claim to the proper index and, in return, receives from the index a 
copy of any previously filed reports on the claimant. In addition, the insurer, 


on the basis of such a report, can go to the company that filed it for further 
information. 


' The Fire Marshal Reporting Service 


The Fire Marshal Reporting Service (FMRS) reports to fire marshals 
in 27 States on fire claims its members have paid. In addition, the FMRS 
maintains an index on reported fire losses in every State which any member 
can use to determine the prior loss record of a claimant as a check, for 
example, on arson. Membership in the Service is available to all interested 
insurance companies in the United States, At present 189 belong.4° 

Unlike reports made to the other indexes, reports made to the Fire 
Marshal Reporting Service are made after the claim has been paid. Reports 
are mandatory in those 27 States where the Fire Marshal must be notified of 
all losses above a minimum amount ranging from $10 to $250. Otherwise, 
the Service accepts reports of losses in amounts of $250 or more. Currently, 
there are 1,067,000 loss reports on file, all of them generated within the 
previous six years.41 

Like Index System records (see below), Fire Marshal Reporting 
Service records are obtainable solely for the purpose of processing claims. 
“For a subscriber’s authorized reporting office to initiate a search, the office 
must be handling and report a claim under the lines of coverage serviced 

. .’42 The requirement that records be used only for claims purposes is 
enforced by requiring an index card from the inquiring subscriber before 
making any search or giving out any information. 


The Burglary and Theft Loss Index 


company to receive reports from both s 
Theft Index, a member may detect simultaneous claims on the same item or 
a claim on a loss for which the claimant has previously been reimbursed. 
Part of the Burglary and Theft Loss Index is the F ine Arts Loss Index whose 
a 

39 Testimony of the American Insurance Association (hereinafter cited as “AIA”), Insurance 
Records Hearings, May 21, 1976, pp. 755, 764 - 66. 


*° Ibid., pp. 764 - 65. 
41 Ibid., p. 765. 


ystems. By using the Burglary and 


42 Jbid. 


859 CamScanner 


The Insurance Relationship 167 


function is to expose fraudulent claims involving art objects and to help 
locate missing ones that have been the subject of prior claims.*% 


The National Automobile Theft Bureau 


The National Automobile Theft Bureau is a service organization 
sponsored, operated, and supported by approximately 500 insurance 
companies writing automobile, fire and theft insurance. The primary 
objectives of the Bureau are to assist in the recovery of stolen automobiles, 
to investigate automobile fire and theft losses which may be fraudulent, and 
to promote programs designed to prevent or reduce such losses. The Bureau 
operates as a national clearinghouse for stolen car information. Member 
companies report automobile thefts to the Bureau and the Bureau notifies 
member companies of recoveries, which are made primarily from police 
tow-away pounds. 

According to its operations manual, the Bureau maintains the 
following record systems: 


¢ National Stolen Vehicle File. This contains all Bureau mem- 
bers’ reports on stolen vehicles and is used to detect 
fraudulent theft claims when several companies provide theft 
coverage on the same vehicle. Subfiles include information on 
impounded vehicles and stolen parts. 

° National Salvage File. Records in this system indicate the 
disposition of all late model vehicles sold for salvage by 
member companies. Each entry of a salvage record creates an 
automatic inquiry against the master file by vehicle identifica- 
tion number, State license number, named insured, and 
salvage purchaser. Inquiries to the system may detect dual 
insurance coverage, multiple losses by a named insured, 
fraudulent claims based on the use of salvage documents or 
counterfeit documents on nonexistent vehicles. 

° Manufacturers’ Production Records. These are used in verifying 
that a vehicle was actually produced, and may also be used to 
find the dealer to whom a particular vehicle was originally 
sold. Each of the major U.S. manufacturers provides them to 
the Theft Bureau on microfilm. 


The Index System 


The Index System accumulates and makes available to its subscribers 
records concerning third-party personal and bodily injury claims. The Index 
System is maintained solely for use in claims processing. Ten branch offices 
serve all 50 States, the District of Columbia, the Commonwealth of Puerto 
Rico, and the Virgin Islands.44 Subscribers report claims to the office 
servicing the territory where the incident occurred. Receipt of a properly 


43 Ibid., p. 766. , 
“4 Ibid., p. 756. 





89 CamScanner 


168 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


completed index card from a subscriber triggers a search of the Index. If the 
search turns up prior submissions on the claimant, the subscriber will be 
sent a photocopy of all of them. _ 

The Index System is decentralized. Searches are normally limited to 
the records of the receiving branch office. Where the submitted index carg 
shows that the claimant lives or once lived in the geographic area of another 
office, however, the inquiry is automatically referred to that other office for 
further checking and disclosure directly to the inquiring company of any 
record found.*> The Index System “Instructions for Subscribers” says that 
“each subscriber is expected to cooperate by furnishing information 
contained in its claims files to other subscribers. . .,”46 and also permit the 
insurer who has been asked for information to ask, in turn, for information 
from the inquirer. This allows two insurers who are in the act of settling 
claims by the same individual to communicate with each other. 

There are two limits to these exchanges of claims information directly 
between insurers. First, “the exchange of information on [auto-related] 
medical payment, death and disability claims is at the discretion of the 
subscriber.”47 Second, “the Inquiry Form is to be used only in cases where 
substantial claims are involved to relieve subscribers of unnecessary work in 
procuring and examining closed files.”’48 (Italics in the original.) 

Reports to the Index System must be limited to claims of the following 
types: automobile liability (including uninsured motorists); automobile 
accident reparation (or personal injury protection); liability other than 
automobile, including liability claims under homeowners, commercial, 
multiple peril, yacht, pleasure craft, and aircraft policies; claims based on 
false arrest, assault and battery; malpractice claims; and worker’s compen- 
sation claims. Worker’s compensation claims are supposed to be reported 
only when they involve: (1) disability due to amputation, back injury, 
disfigurement, dislocation, eye injury, fracture, head injury, hernia, loss of 
hearing; (2) injuries with possible lost time payments of $500; (3) 
occupational diseases with possible medical and lost time payments of 
$1,000; (4) lost time.claims by longshoremen and construction workers: or 
(5) a suspicion of fraud. A report must be made on any claim falling in these 
areas, except that reports on auto-related medical, death and disability 
claims are discretionary.49 

Subscription to the Index System is open to “all insurance companies 
writing bodily injury liability coverages without regard to membership in the 
American Insurance Association.”5° To belong to the System, one must 
either be a liability insurer where liability claims are made against an 





45 American Insurance Association, “The Index System: Instructions for Subscribers,” May, 
1974, p. 2; Testimony of AIA, Insurance Records Hearings, May 21, 1976, pi tot. 

* AJA, “Instructions for Subscribers,” p. 3. 

47 Ibid., p. 3. 

48 Ibid, a 

49 Ibid., p. 1. “ 

5° Testimony of AJA, Insurance Records Hearings, May 21, 1976, p. 755. 


89 CamScanner 


The Insurance Relationship 169 


insured, or a self-insurer (such as an employer) which may have liability 
claims made directly against it.5' About 26 percent of the Index System 
subscribers are self-insurers, but they represent a very small percentage of 
those that report.52 In total, the Index System currently has 1,183 
subscribing insurers and self-insurers and maintains records on approxi- 
mately 28 million bodily injury claims reported during the System’s six-year 
report retention period.°% 

A witness from the Index System offered some anecdotal evidence of 
its efficacy in uncovering fraud. One story tells of an elderly woman who 


constantly sustained minor injury to her mouth because of glass in a 
sandwich. 


In appearance, she resembled the classical image of . . . [a] 
grandmother—unassuming, nondemanding, doing a public service 
by calling attention to a deficiency in an insured’s kitchen with no 
intent of making a fuss. From the viewpoint of the insurance carrier, 
liability was there; the demand was modest. The settlement was 
simple and uncomplicated. In fact . . . the insurance company 
almost had to force payment upon the claimant to accept any 
compensation for her inconvenience and minor injury. 

The sad truth was that “grandma” was a_ professional 
claimant. In her purse, she carried glass fragments which she would 
place in her mouth to cause a laceration. She would, then, call the 
waiter, display the physical evidence of the glass bit and the bloody 
napkin. Her manner would be mild and full of concern for other 
diners who might not be so fortunate in sustaining only a minor 
injury. She was literally in the claim business. 

Fortunately, in her travels, she did establish a pattern of 
reports involving subscribers [to the Index System] which led to an 
investigation of her activities and ... agreement to divert her 
activities to more constructive lines.°4 


INFORMATION FLOWS FROM INSURANCE INSTITUTIONS 


Both life and health and property and liability insurers routinely 
disclose information about an applicant or insured to the agent, to the extent 
necessary to service the policy; to reinsurers (when a company underwriting 
a large policy wants to reduce its exposure to loss); to an insured’s 
physician; to inspection bureaus to facilitate the preparation of an 
investigative report; and to other types of investigators asked to prepare 
such reports. Because insurance is often required to buy a house, operate a 
Car, pursue a career, or conduct a business, they may also disclose 
information about an individual to loan institutions and employers. 

Further, life and health insurers, as indicated in the preceding sections, 
also disclose information to the Medical Information Bureau or the 


—— 
51 Ibid., p. 169. 
82 Ibid. p.773. 
53 Ibid., p. 756. y 
“4 Ibid., pp. 760 - 61. A 


689 CamScanner 


170 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


Impairment Bureau, and may provide details to another member insurer 
when requested to do so. Property and liability insurers, for their part, 
routinely notify the loss indexes of certain claims, and, in some cases, may 
notify the Insurance Crime Prevention Institute (see below). 

Some potential insureds are judged to be so likely to produce adverse 
claim experience that they cannot obtain insurance in the normal manner. 
The driver with a poor record poses two problems. The first is meeting his 

own acute need for financial protection and perhaps his ability to qualify 
legally as a registered vehicle owner. The second is protecting society from 
the harm which an unsafe driver is likely to inflict on others. State 
“assigned-risk” insurance plans were formed to provide coverage to a driver 
whom companies consider an unacceptable risk and thus can require 
information about him to be disclosed to the administrators of the plan as 
well as to the insurance company to which his application is assigned. 

Both life and health and property and liability insurers may release 
information about individuals to State insurance department officials in 
response to inquiries or complaints, and in the course of periodic 
examinations of company underwriting practices and procedures by such 
officials. Independent auditors employed by an insurance company make 
similar checks for the same purpose. In addition, because insurance 
companies are repositories of detailed information about individuals, their 
records are often requested by Federal as well as State government agencies 
and law enforcement authorities. 

Finally, to make it possible for residents and property owners in high 
risk locations to purchase insurance against losses due to crime, civil 
disorders, and floods, partnerships have been formed between insurers and 
government agencies which make it necessary for insurers to disclose 
information about individuals to the agencies participating in such 
programs. 


INFORMATION FLOws FROM SUPPORT ORGANIZATIONS 


The extensive flow of information about individuals into and out of 
organizations that conduct underwriting and claims investigations for 
insurers is described in Chapter 8. Medical Information Bureau rules, 
however, require a court order before information about an individual may 
be disclosed to anyone other than a member insurance company and while 
the property and liability loss indexes will be satisfied with a subpoena, 
rather than a court order,°> they normally disclose information in their 
records only to a subscribing insurer submitting a properly prepared index 
card in connection with a current claim. The exceptions to this policy are the 
disclosures the Index System makes to the Marine Index Bureau and the 
disclosures any of the indexes may make to the Insurance Crime Prevention 
Institute (ICPI), 


As indicated earlier, subscribers to the Index System are told to report 
a 
55 A witness told the Commission that the loss indexes receive about 100 subpoenas a year 


from government agencies and that while for many they have no information to disclose, when 
they do have information they comply. Ibid. p. 776. 





CamScanner 


The Insurance Relationship 171 


lost-time claims filed by longshoremen. One reason for this is to make such 
information available to the Marine Index Bureau, whose subscribers are 
vessel owners. The owner of a vessel is responsible for its seaworthiness 
which includes the quality of the crew.°6 
In addition, an index may disclose information about an individual to 
the Insurance Crime Prevention Institute. As one witness from the indexes 
told the Commission: “We are an indicator. If the reports from the index 
system discern a pattern that might be of interest to the carrier or the ICPI 
. . it is referred to them.”57 According to the testimony, however, an index 
would not send unsolicited reports to the ICPI unless it receives “four within 
a relatively short period of time of the same nature,” or unless, in a two- 
claim situation, “the accident occurred on the same date with different 
insurers or at a different place with the same injury.” Alternatively, the ICPI 
may come to an index and ask for a search, in which case it is treated in the 
same manner as any subscriber.58 


The Insurance Crime Prevention Institute 


The Insurance Crime Prevention Institute is a nonprofit corporation 
which operates as a trade association to uncover insurance fraud for 
property and liability insurers. The ICPI has its headquarters in Westport, 
Connecticut, maintains regional offices in New York City, Chicago, and Los 
Angeles, and has investigators stationed in major cities throughout the 
country.59 Membership is open to property and liability insurance compa- 
nies licensed in any of the 50 States.6° Currently its membership is made up 
of 312 companies that underwrite 70 percent of the casualty and property 
insurance business.®! . 

ICPI’s purpose is to prevent and detect fraudulent insurance claims. 
Its focus is solely on criminal fraud, and the Institute’s bylaws specifically - 
prohibit it from assisting companies in claims settlement or civil actions 
incident to settlements.62 Typically, an Institute investigation begins when a 
member sends information on a claim which the company suspects may 
involve criminal fraud. Other investigations are initiated by the ICPI based 
on information it receives from various sources, such as law enforcement 
agencies, “inside tipsters, 63 or the loss indexes. In either case, however, the 
ICPI has complete control over its investigative activities, and may decline 
or initiate investigations as it sees fit. | 

If an ICPI investigation produces reasonable evidence of fraud, the 





56 [bid., p. 769. 

57 Ibid., p. 768. 

58 Jbid., p. 772. 7 . 

= Sieueat of the Insurance Crime Prevention Institute (hereinafter cited as ICPI”), 
Insurance Records Hearings, May 21, 1976, p. 1. 

6 ICPI, “By-Laws,” Art. III, § 1. a ‘ 

61 Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1; Testimony © 
ICPI, Insurance Records Hearings, May 21, 1976, p. 116. 7 

€ Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1; ICPI, “ICPI 
1975,” p. 2; ICPI, “By-Laws,” Art. I. , 

63 Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1. 


4 
Z 


689 CamScanner 


172 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


matter will be “reported to a public law enforcement agency for whatever 
action it deems to be appropriate.”6* The ICPI investigator may go to 
insurance companies or an index for information. Going to an index will, of 
course, lead the investigator back to the insurers that have had claims filed 
by the individual under investigation. The investigation may consist of 
interviewing the claimant, verifying medical statements, verifying lost-wage 
statements, or searching police or court records.§5 
The Director of the ICPI testified that the Institute 


exercises extreme care in referring its investigative findings to law 
enforcement agencies . . . . Each case is checked for completeness 
of investigation and sufficiency of evidence before the investigator 
is authorized to present his report to a law enforcement agency. 
Aside from considerations of fairness to the subject of the 
investigation, civil tort law provides adequate incentive for cau- 
tion.66 


Where there is evidence of professional misconduct, such as where a 
physician inflates a bodily injury insurance claim, the ICPI can also make its 
file available to licensing authorities.67 

ICPI characterized its relationship with the law enforcement commu- 
nity in its testimony as that of a “citizen coming forward with evidence of a 
crime.”68 The Institute will sign criminal complaints to initiate prosecution 
in instances where an insurance company has been the victim of a fraud 
and, when it does so, will voluntarily give a copy of its file to law 
enforcement officials. As the ICPI Director testified: ; 


It is a generally recognized exception to the principle of confiden- 
tiality that an insurance company, finding itself to be the victim of a 
fraudulent.claim, may voluntarily release the pertinent records of 


that transaction to the police to obtain criminal justice. . . . The 
Institute, in effect, does no more than to perform this task for the 
insurance company.®9 


Occasionally, law enforcement officials will come to the ICPI for 
information: 


If there is a large arson in the Bronx on Sunday night, on Monday 
morning we are going to get a call to ask if we have a file on the 
owner .. . . If it is a legal and valid investigation, we will assist 
them in getting the information.7° 


The ICPI employs approximately 70 full-time investigators, most with 


64 Ibid. 

65 Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 776 - 77; ICPI, “ICPI - 
1975.” ‘. 

8 Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 2. 

87 ICPI, “A Prosecutor’s Introduction to ICPI,” p. 4. 

68 Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 2. 


% Jbid., citing Burrows v. Superior Court, 13 Cal. 3d. 238, 245 (1975) as by analogy providing 
an exception from the rule of confidentiality. 


7° Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 784 - 85. 





689 CamScanner 


The Insurance Relationship 173 


law enforcement backgrounds, and is licensed as a private detective agency 
in those jurisdictions which require licensing.7! It investigates about 6,000 
cases each year. In 1976, this resulted in the indictment of about 600 people. 
According to the testimony, it concentrates on two main areas of criminal 
fraud. The first is the ambulance-chasing attorney or the doctor who 
exaggerates claims, and the second is organized crime.?2 


THE INDIVIDUAL IN THE INSURANCE RELATIONSHIP 


As is evident from the preceding sections, the insurance industry is 
highly dependent upon recorded information about individuals. This 
dependence creates a number of privacy protection problems, some of 
which are inherent in the insurance system, but can be controlled, and some 
of which present real or potential abuses that need to be eliminated. 


THE INTRUSIVENESS OF CERTAIN COLLECTION PRACTICES 


_ Insurance underwriting involves two separate decisions: (1) whether 
the insurer wants to insure the applicant at all (selection); and if so, (2) at 
what price and terms (classification). The need to make these two judgments 
dictates the kind and quality of information an insurance institution collects 
and maintains about an individual applicant or policyholder. 

In making these two types of decisions insurers look to physical 
hazards—medical hazards in life and health underwriting and in property 
and liability underwriting, the condition of the property, its use, and its 
surroundings. Underwriters also look to what is termed moral hazard. 
Evaluation of moral hazard is made by examining attributes of the applicant 
which suggest a greater than average likelihood of a loss occurring or the 
potential for unusual severity of loss—either an absence of a desire on the 
part of the individual to safeguard himself or his property from loss or a 
positive willingness to create a loss or to deliberately inflate a claim. 

Thus, it is not surprising that the evaluation of moral hazards, 
particularly in property and liability underwriting, is the area where the 
‘greatest number of objections to insurers’ information collection practices 
have been raised. An inquiry may cover drinking habits, drug use, personal 
and business associates, reputation in the community, credit worthiness, 
occupational stability, deportment, housekeeping practices, criminal histo- 
ry, and activities that deviate from conventional standards of morality, such 
as living arrangements and sexual habits and preferences. Because the 
relevance of many of these particulars can be hard to demonstrate, and 
because the judgment as to their relevance is often left to the underwriter 
handling a particular case, their propriety has become subject to question. 

From the standpoint of many applicants and insureds, the dichotomy 
between the individual’s privacy interest and the insurer's interest in 
evaluating risk is probably not as great as it seems at first glance. The low- 


Ls 
"! Ibid., p. 778; Written statement of ICPI, Insurance Records Hearings, May 21, 1976, p. 1; 
ICPI, “ICPI-1975,” p. 9. 


” Testimony of ICPI, Insurance Records Hearings, May 21, 1976, pp. 786-87. 


4. 


a 


689 CamScanner 


174 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


risk applicant benefits from an underwriting evaluation that results in 
unusual risks being eliminated or written at a higher premium because that 
keeps the cost of his insurance down. The Commission was continually 
reminded that it is in the interest of the applicant to have complete and 
accurate information on which this judgment can be based so that he can be 
insured at the proper rate; that the insurer must be able to evaluate the risk 
it is being asked to assume if premium charges are to bear a reasonable 
relationship to expected losses and expenses for all insureds within a similar 
classification. 

Economic forces may, however, work against a given individual. 
Because insurers compete against each other for the better risks, they do not 
have much incentive to look behind some of the criteria they use to sort the 
good risks from the bad. If their experience suggests, for example, that 
slovenly housekeepers make poor automobile insurance risks, they tend to 
be wary of all slovenly housekeepers. The problem, in other words, is not 
that the category of information lacks predictive value in all instances, but 
rather that it is applied too broadly. 

Another source of concern in the area of intrusive collection practices 
stems from the use of so-called pretext interviews and other false or 
misleading information-gathering techniques. This concern was brought 
into sharp focus by recent publicity concerning Factual Service Bureau, Inc. 
(now Inner-Facts, Inc.), an investigative-support organization whose 
services were used by insurers in a number of cities throughout the country. 
Factual Service Bureau employees regularly misrepresented their identity 
and purpose in order to obtain medical-record information from hospitals 
and other medical-care providers without authorization. The insurers that 
used Factual Service Bureau should have known that it employed such 
intrusive techniques and generally engaged in questionable methods of 
information collection. Factual Service Bureau openly advertised its ability 
to procure confidential information about an individual without his 
authorization.”3 Thus, even the insurers who had no actual knowledge of the 
techniques being used by Factual Service Bureau on their behalf may be 
said to have condoned its activities by their silence or failure to investigate 
more fully the practices and techniques used. 

The Factual Service Bureau case also illustrates a broader problem 
which results from the apparent lack of restraint exercised by insurers over 
the support organizations they use to collect information about individual 
applicants, insureds, and claimants. In the claims area particularly, where a 
great deal of money may be at stake or where the suspicion of fraud may be 
high, many insurance companies have tended to look the other way while 
hiring support organizations that use questionable information collection 
practices and techniques. 





8 A Factual Service Bureau advertising flyer asks, “Have you been denied medical 
authorization by a claimant? Does the claimant’s attorney withhold medical information from 
you, or submit only ‘partial’ medical records? If either of the above is true, let Factual Service 
develop the true medical picture. We have specialized in background medical investigations for 
over two decades.” 


od 


CamScanner 


wn 


The Insurance Relationship 175 


UNFAIR COLLECTION, USE, AND DISCLOSURE PRACTICES 


Because of their acknowledged dependence upon information about 
individuals, insurance institutions are reluctant to deprive themselves of 
inexpensive access to it. There are few restrictions within the industry on the 
sharing of personally identifiable information or on obtaining it from 
sources outside the industry. This is true of insurance institutions and 
support organizations alike, and can lead to some highly questionable 
collection, use, and disclosure practices. . 

As indicated earlier, the Medical Information Bureau, until recently, 
retained claims information even though it no longer allowed it to be 
reported, and inserted a “failure to find impairment previously reported” 
code rather than deleting the impairment reference. To maximize the utility 
of information already collected, insurance institutions also piggyback on 
the information collection and use practices of other insurance institutions 
and support organizations. This dependence adds to the widespread 
exchange of information throughout the industry, not only by organizations 
like the Medical Information Bureau and the Impairment Bureau but by, 
investigative-reporting agencies (inspection bureaus) and other insurance- 
support organizations that save and reuse the information they collect. 
Thus, once a mistake enters the system, its adverse effects are likely to 
proliferate, resulting in repeated unfairness to the individual. 

The competition among insurance institutions has generally militated 
against adequate sensitivity to the fairness issue in record keeping. To be 
sure, this situation has been changing as particular companies have 
promulgated privacy protection principles to be followed in the conduct of 
their business. Except for the support organizations subject to the Fair 
Credit Reporting Act, however, record-keeping practices still remain by and 
large discretionary within the industry. 

Insurance institutions and their support organizations have been 
concerned about certain types of disclosures to third parties and about data 
security problems. The admitted purpose of these safeguards, however, is to 
protect the business privilege as a limited defense to common law actions of 
defamation. Thus, they do little to constrain exchanges of information about 
individuals within the industry or to control the quality of the information 
used. 

The lack of attention to fairness issues in record keeping about 
individuals has resulted in the structuring of information flows and uses so 
that neither the insurance institution nor the individual applicant, insured, or 
claimant is responsible for the quality of the information used. The individual is 
at a disadvantage because record-keeping practices within the industry are 
opaque from his point of view. He currently enters into an insurance 
transaction without being aware of the relationship’s implications for his 
personal privacy because he does not understand how extensive or intrusive 
information gathering may be. Nor does he know the consequences of the 
notices on his application—for example, that the Medical Information 
Bureau notice means information about him may be reported to the Bureau 
not only from the application itself, but also as a consequence of the 


CamScanner 


176 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


underwriting investigation the insurer may conduct. Because he lacks 
adequate knowledge of the practices followed, the individual cannot make 
the forces of the marketplace work for him. He is not given an opportunity 
to weigh the relative benefits which might be obtained through the insurance 
transaction against the personal cost of revealing and having others reveal 
information about him. 
Nor does the individual always know why the insurer is collecting 
information about him, or when it is being collected for purposes unrelated 
to establishing his eligibility for an insurance. benefit or service. Insurers 
frequently collect marketing and actuarial information through the applica- 
tion. When.a claim is filed, they may collect information for the purpose of 
reviewing the propriety of.a treating doctor’s fees or procedures as well as 
the eligibility of the particular claimant or the particulars of the specific 
claim. They may collect additional information to determine the advisability 
of continuing to market a particular kind of insurance. Yet, they do not 
normally advise the individual that this is being done. 
The individual is also placed at a disadvantage when he is asked to 
‘sign a form authorizing the release of recorded information about himself, 
‘because he is not specifically apprised of what he is consenting to. The 
‘commonly used blanket authorization form, in essence, authorizes the 
release ‘of ‘all information about the individual in the hands of anyone. 
Moreover, the type of authorization form currently used by insurance 
institutions typically has no stated purpose or expiration date, and may not 
be limited either as to the scope of the investigation or as to the sources of 
information. This again -reflects the natural reluctance of insurance 
institutions to deprive. themselves of easy access to any potentially useful 
information, or to decide in advance what information is needed for what 
purpose. | 
As far as fair.use.is concerned, the relationship between the individual 
and.an insurer is often unnecessarily and. undesirably attenuated. Informa- 
tion he provides about himself is only partly the basis for the decision made 
about him, and the decision is made by someone he does not know and with 
whom he normally has no direct. interaction: In addition, records main- 
tained by a variety of institutions within and without the industry. may be 
brought ‘to bear on the decision about him, while he believes he is only 
dealing with one such ‘institution. That one institution, moreover,: assumes 
no obligation to give him access to the information.compiled about him or 
to afford him the opportunity to correct or amend information he believes to 
be inaccurate. 

__ Under the existing system, the individual cannot adequately protect 
himself against the use of poor quality information in making underwriting 
decisions about him. Frequently, the individual is not told the reason for an 
adverse Insurance decision. The insurance laws and regulations of many 
States require insurers to disclose to the individual (in some cases, only on 
Tequest) the general reasons for cancelling or refusing to renew a personal 


CamScanner 


The Insurance Relationship 177 


automobile insurance policy. Few States, however, require insurance 
institutions to give individuals the reasons for a declination or a rating." If 
the reason and supporting information for an adverse underwriting or rating 
decision do not arise out of a report prepared by a support organization 
subject to the disclosure provisions of the Fair Credit Reporting Act, the 
individual may be unable to find out why the decision was made, or whether 
inaccurate or incomplete information was at fault. 

Life and health insurance institutions generally advise an applicant of 
the information that led to an adverse underwriting or rating decision only if 
they consider the information harmless (e.g., hazardous occupation, obvious 
health impairment). Typically, however, the. specific items of information 
and their source are not revealed unless they came from a support 
organization subject to the Fair Credit Reporting Act, or from the applicant 
himself. When an individual requests a specific explanation for an adverse 
decision and the basis was medical-record information, most life insurers 
will divulge the information, but only to the applicant's personal physician. 
However, they virtually never tell the individual the specific reasons and 
supporting information for an adverse decision when the information 
concerns his character, morals, or life-style. 

In property and liability insurance, an adverse decision may or may 
not lead to the insurer divulging the reasons and supporting information to 
the applicant. As in the life and health area, whether the insurer considers 
the information to be harmless will be a factor. With the exception of the 
State automobile insurance laws and regulations mentioned above, however, 
the consumer has no legal right to be told the reasons or information 
supporting an adverse insurance decision. 

When an individual contacts the Medical Information Bureau, he or 
his physician, in the case of medical-record information, only learns the 
summary data that has been reported about him.”> He does not learn how 
the reporting insurance company translated the underlying information into 
a code, and while he is told where the underlying information is, he, unlike 
another insurer, cannot get it automatically from the reporting company. 

If the adverse decision was based on information in a report prepared 
by an inspection bureau, the Fair Credit Reporting Act only requires the 
insurer to tell the individual the organization’s name and address. [15 U.S.C. 
168]m] The individual has the right to learn the “nature and substance” of 
the information about him in the inspection bureau’s files, but this is no 
assurance that he will be able to identify the reason for the adverse decision 
or the particular items of information on which it was based. To go to the 
inspection bureau is time-consuming for the individual and may effectively 
prevent him from getting on firm enough ground to ask for reconsideration 
of the decision if it turns out that there was erroneous information in the 


14 William J. Giacofci and John A. Andryszak, “Summary of State Insurance Laws and 
Regulations Serving to Protect the Individual’s Right to Privacy,” Maryland Casualty 
Company, July 1976. 

Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp- 265-67. The 
Federal Trade Commission believes that the MIB is subject to the Fair Credit Reporting Act 
and thus must give access. While the MIB denies this, it nonetheless grants access and thus the 
issue has not been brought to a head. ( 


CamScanner 


178 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


report. To have a real voice in the quality of information on which decisions are 
based, the individual needs to know the reasons for the adverse action and the 
specific items of information that support the reasons. 

The Commission is also concerned that the mere fact of a previous 
adverse underwriting decision may unfairly stigmatize an individual who 
applies later for comparable insurance. Without knowing the reasons for jt, 
some insurers use the mere fact of a previous declination or other adverse 
decision by another insurer as the basis for rejecting an applicant.76 Yet g 
previous declination may have nothing to do with the individual’s 
qualifications where, for instance, the insurer that declined him did so only 
because it had decided to restrict its underwriting in a certain area. Thus, 
when an insurer acts on the fact of a previous adverse decision alone, it may 
reject an individual whom it would otherwise have accepted if accurate and 
complete information were developed. Stigma may also result when an 
individual has previously purchased insurance from a “substandard” insurer 
or through an “assigned-risk” plan, even though the reasons for such 
previous action may not involve the individual or his eligibility directly.77 

The Commission has not found that this problem exists in life and 
health insurance underwriting to the degree that it clearly does in personal 
property and liability insurance. Property and liability insurance applica- 
tions often ask the individual whether he has previously been declined or 
rated, but rarely ask the reason for the rejection, presumably because, under 
the current system, the applicant will seldom know. A high percentage of the 
reasons may, in fact, relate to adverse characteristics possessed by the 
individual applicant or insured, as opposed to a general market condition 
unrelated to the individual’s characteristics. Present practice, however, fails 
to distinguish between the two types of rejections. 

“Accepting from. lay sources information that only a professional is 
‘competent to report is another questionable practice that stems from an 
insurer’s reluctance to deprive itself of any information that may turn out to 
be useful. Medical-record information is crucial to life and health insurance 
underwriting and to claims processing. Collection of such technical 
information from anyone other than the individual himself, a medical 
source, or a close family member invites inaccuracies. Nevertheless, some 
insurers not only seek information concerning an individual’s health from 
agents, or from the individual’s neighbors, friends, and associates, but also 
use it as the basis for declining his application. Such information may also 
be communicated to other insurers. Until recently, the Medical Information 





76 Written statement of Federal Insurance Administration, Department of Housing and 
Urban Development, Insurance Records Hearings, May 20, 1976, pp. 6 - 11; Department of 
Transportation Study, “Motor Vehicle Crash Losses and Their Compensation in the United 
ee Testimony of Benjamin Lipson, Insurance Records Hearings, May 20, 1976, pp. 407- 


7,Written statement of Federal Insurance Admininstration, Department of Housing and 
Urban Development, Insurance Records Hearings, May 20, 1976, p. 9; Department of 


Spal ile eg Study, “Motor Vehicle Crash Losses: Their Compensation in the United 
tes.” p. 68. 


i 


CamScanner 


— 


The Insurance Relationship 179 


ed medical information obtained from lay sources, and the 
[Impairment Bureau and the property and casualty loss indexes still do.78 

Although support organizations such as the Medical Information 
Bureau have rules with respect to the type and quality of information 
reported to them, the rules are difficult to implement and enforce. The MIB, 
for example, has no way of knowing, except through periodic audits of 
member companies, whether medical or other information reported to it has 
come orginally from an authorized source. Thus, it cannot effectively 
control the quality of information in its files. Nor does the Bureau keep a 
complete accounting of all the disclosures,79 the result being that it cannot 
always propagate corrections when inaccuracies are discovered. The 

roperty and liability loss indexes also have no way of knowing whether a 
subscriber has falsely filed an index card without having a real claim, or 
whether, once received by an insurance institution, the index information is 
used for other purposes, such as underwriting, or making a personnel 
decision.8° 

Perhaps the best example of the inability of support organizations to 
regulate the use of the information they provide is the Medical Information 
Bureau’s rule which prohibits the use of a Bureau report, intended only as an 
alert, as the basis for declining an applicant.8! Compliance with this rule has 
not been carefully audited in the past, and testimony before the Commission 
by the MIB indicates that as a result of the MIB’s own audits there is 
evidence that some life insurers do render adverse decisions based solely on 
Medical Information Bureau codes.82 Furthermore, the reinvestigation 
requirement the MIB imposes on its members can be satisfied by going to an 
inspection bureau and getting information on file there—the same informa- 
tion which another insurer may have used to decline the applicant. 

To some extent these problems are endemic to data exchanges, like the 
MIB, that are controlled by their users. Being wholly dependent, they 
cannot be expected to enforce their rules against those who sustain them. 
The end result, however, is that poor quality information can, ina variety of 
ways, cause an individual to be denied an insurance benefit or privilege for 
which he would otherwise be eligible. The insurer may lose too, by forfeiting 
a customer or by having its relationship with an existing policyholder 
deteriorate. Obsolete, inaccurate, or incomplete information serves no one. 


Bureau accept 


THE ABSENCE OF A STRICT Duty OF CONFIDENTIALITY 


There is an understandable public concern about the confidentiality of 
records about individuals that insurance institutions and their support 





7 Testimony of the MIB, Insurance Records Hearings, May 19, 1976, p. 263. 
Ibid., pp. 235-36; 244-58. 

fy estimany of the AIA, Insurance Records Hearings, May 21, 1976, p. 771. 

i MIB, “General Rules,” Handbook and Directory, Rule 14. Rule 14 is now Rule D.4. 
Th Testimony of the MIB, Insurance Records Hearings, May 19, 1976, pp. 234-36; 244-58. 
ff peegeny ea no testimony from the Impairment Bureau on this issue, but-problems no 
Bur, t exist with its subscribers as well. This would seem especially true since the Impairment 
a even those safeguards and rules under which the Medical Information Bureau 


CamScanner 


180 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


organizations maintain. As previously noted, the collection of information 
about an individual without his full knowledge of the scope of the inqui 
and its consequences may weaken the relationship between the insurer and 
the individual. The individual may be deterred from applying or ma 
mistrust the insurer when he does apply. The Commission heard testimon 
that some people do not buy insurance for fear that the resultin 
information flow will come back to haunt them, either in a subsequent 
insurance decision or through disclosure to their employer.83 Others do not 
use their benefits—for instance, psychiatric coverage—for fear claims 
information will not be held in strictest confidence.84 In addition, the 
individual may be more likely to lie about information which he feels may 
go beyond the insurer. Confidentiality has become such a concern that some 
who maintain records about individuals, such as doctors and psychologists, 
are increasingly reluctant or unwilling to disclose the information in them, 
even when authorized to do so by the individual.85 Other sources, such as 
neighbors and associates, may also refuse to provide information or may 
provide inaccurate information. 

Although insurance institutions and support organizations now 
assume some responsibility for the confidentiality of the information the 
collect and maintain on individuals, earlier parts of this chapter show the 
extent to which personally identifiable information is disclosed by numerous 
insurance industry organizations. Within the industry, information sharing 
occurs on a routine’ basis. Moreover, information may be disclosed to those 
outside the industry without the individual’s knowledge.86 The Commission 
believes that the key to solving this important problem is to create an 
enforceable expectation of confidentiality which clearly delineates the 
circumstances under which an insurance institution or support organization 
may disclose information about an individual without his authorization. 


CURRENT LEGAL RESTRAINTS ON RECORD-KEEPING 
PRACTICES 


STATE’ INSURANCE REGULATION 


The primary regulatory mechanisms for overseeing the activities of 
insurance institutions are at the State level. State regulation has developed 
around two basic aims: (1) maintaining the solvency of individual insurance 
companies; and, (2) assuring fair business practices and pricing. Although 
interest in the record-keeping practices of insurance institutions has 
increased in the last few years, few States have focused significant attention 
on the privacy protection problems the Commission has identified. No 





33 Written statement of Benjamin Lipson, Insurance Records Hearings, May 20, 1976, p. 7. 
*4 Ibid., p. 8; Testimony of Jerome S. Beigler, American Psychiatric Association, Insurance 
Records Hearings, May 20, 1976, pp. 358-360. 


85 Testimony of Jerome S.. Beigler, American Psychiatric Association, Insurance Records 
Hearings, May 20, 1976, pp. 370-73. 


86 Testimony of the Index System, Insurance Records Hearings, May 21, 1976, p. 769: 
Testimony of Jerome S. Beigler, Insurance Records Hearings, pp. 361, 372; Written statement 
of the Blue Cross Organizations, Insurance Records Hearings, May 20, 1976, p: 5. 


CamScanner 


The Insurance Relationship 181 


State, to the Commission’s knowledge, has enacted privacy protection 
legislation which would affect insurance record-keeping practices. More- 
over, regulation of insurance record-keeping practices at the State level is 
limited because State Insurance Departments do not have regulatory 
authority over most insurance-support organizations. 

There are, however, existing regulatory mechanisms at the State level 
which could be used to implement some of the Commission’s insurance 
recommendations. These include the unfair trade practices provisions of 
State insurance laws, and the authority State Insurance Commissioners have 
been given over the contents of those application forms which are 
considered part of the policy. 

Most States have passed a version of the Model Unfair Trade Practices 
Act.87 These laws are applicable to all types of insurance and are designed to 
protect the insurance consumer by prohibiting insurance institutions from 
engaging in a wide range of practices specifically defined by the Act to be 
unfair. The Act includes prohibitions against false advertising, defamation 
of competitors, boycotts, fraudulent financial statements, rebates, and 
unfair discrimination. Many States have added to this statute an Unfair 
Claims Practices Act which protects claimants by forbidding unreasonable 
claim settlement practices, including misrepresentation, delays in claim 
payments, and claim settlement offers which are so low as to compel 
claimants to institute litigation to collect their claims. 

The Model Act provides the State Insurance Commissioner with 
several mechanisms to enforce the prohibition against defined unfair trade 
practices. The Commissioner has the authority to promulgate regulations 
identifying the methods of competition or practices which come under the 
specific prohibitions enumerated in the Act. In addition, the Commissioner 
may hold a hearing and issue a cease and desist order whenever he believes 
an insurer is engaging in one of the unfair practices. Monetary penalties or 
suspension or revocation of a company’s license may also be imposed for a 
violation of the defined unfair trade practices where the insurer knew or 
should have known that it was in violation of the Act. 

In addition to the Commissioner’s powers to enforce defined unfair 
trade practices, the Model Act also provides that he may hold hearings on 
any act or practice which he believes is unfair, even though the practice is 
not specifically defined in the Act. If, after a hearing, an undefined act or 
practice is found to be unfair, the Commissioner may issue a cease and 
desist order. The Model Act, however, does not empower the Commissioner 
to add by regulation new acts to the defined unfair trade practices, or to 
impose monetary penalties for engaging in undefined unfair trade practices. 

Some States already make use of the Unfair Trade Practices Act 
prohibition against unfair discrimination to regulate record-keeping practic- 
es. The regulations, however, are limited in scope and, in almost all 
instances, are concerned with the use of information in the underwriting 
Process rather than its actual collection. For instance, the Privacy Commis- 
sion heard testimony on the regulation of the relevance of information used 


es 
_*T Note: e.g., Cal. Ins. Code §§ 790.01, et seq. ; Mass. Gen. Laws Ann., ch. 93a; Vt. Stat. Ann. 
Ut. 63, § 2451; ILL. Rev. Stat. ch. 121 1/2, § 261. 


CamScanner 


182 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


in the underwriting process from a representative of the California 
Insurance Department. California has used its regulatory authority under its 
unfair trade practices laws to prohibit unfairly discriminatory practices on 
account of sex, marital status, unconventional life-styles, and sexual 

’ orientations differing from the norm. The California Department normally 
does not attempt to prohibit collection; rather, it acts on an ad hoc basis to 
prohibit the use of certain criteria in underwriting decisions upon the receipt 
of complaints from insurance consumers.®8 

Because the Model Unfair Trade Practices Act is applicable to all lines 
of insurance and contains strong enforcement provisions, it can serve as an 
appropriate regulatory mechanism for several of the Commission’s recom- 
mendations. It will, however, be necessary to amend the Act to define 
certain unfair record-keeping practices as unfair trade practices. These 
unfair practices would then be subject to the full range of regulatory and 
enforcement authority granted Insurance Commissioners under the Model 
Act, including the power to hold hearings and issue cease and desist orders, 
and to impose monetary penalties. 

Many State Insurance Commissioners have an additional power which 
could assist in the implementation of certain of the Commission’s recom- 
mendations. In many States, Commissioners have the authority to approve 
policy forms. In the case of life and health policies, application forms are 
considered a part of the policy, so they would be subject to the Commission- 
er’s approval. Thus, Insurance Commissioners in a number of States would 
be in a position to monitor and enforce the Commission’s notification, 


authorization, and previous adverse decision recommendations insofar as 
life and health insurance are concerned. 


FEDERAL REGULATION 


The Federal government has only one law which affects the record- 
keeping practices of the insurance industry—the Fair Credit Reporting Act. 
The FCRA governs the use of inspection bureau reports prepared by 
Support organizations in connection with underwriting decisions by 
insurers, and thus its effect on insurance institutions is limited to their role as 
users of such reports. There are also a few State fair credit reporting statutes 
similar to the Federal one. The Commission believes that amending the Fair 
Credit Reporting Act is a good mechanism to implement many of its 
recommendations that are beyond the scope of the present Act, including 
some of its insurance recommendations. The scope of the Act could be 
broadened, and its title and enforcement framework could be altered to 
reflect the new scope presented by some of the Commission’s recommenda- 
tions. In addition, the oversight functions presently given to the Federal 
Trade Commission could be expanded, thus avoiding the necessity of 
creating. a new Federal agency to oversee implementation of those 


Commission recommendations which are proposed for adoption by 
amendment of the FCRA. 





88 Testimony of the Califo 


20, 1976, pp. 496-98. mia Department of Insurance, Insurance Records Hearings, May 


CamScanner 


The Insurance Relationship 183 


THE COMMON LAW 


The final constraint upon record-keeping practices in the insurance 
industry is provided by the common law actions of defamation and privacy. 
Defamation provides liability for damage to reputation caused by the 
publication of untrue information about an individual. The tort of invasion 
of privacy provides liability under certain circumstances for, among other 
things, public airing of private information about an individual. Insurance 
institutions and support organizations may be able to raise a qualified 

rivilege in defense of such actions. 

In recognition of the need for a free flow of information in commercial 
transactions, most States have recognized a qualified business privilege 
which provides a defense for otherwise defamatory statements when made 
to the proper parties, in a proper manner, and for a valid business purpose, 
except if the statement is false and made with malicious intent to injure the 
individual to whom it refers. Similarly, there is a qualified privilege for 
invasion of privacy actions. These limits on common law actions enable 
insurance institutions and support organizations to exchange information 
for legitimate purposes relatively free of legal restraints. As noted earlier, 
however, the privilege is available only when information is disclosed to 
someone deemed to have an interest in it. It is for this reason that insurance 
institutions and their support organizations are careful to guard against the 
disclosure of information to anyone outside of the industry. 


RECOMMENDATIONS 


The Commission’s approach to the problems described in this chapter 
has been to focus on strengthening and balancing the relationship between 
the individual insurance applicant, policyholder, or claimant and the 
insurance institution with whom he deals. As indicated at the outset, the 
Commission’s recommendations have three objectives: 


(1) to create a proper balance between what an individual is 
expected to divulge about himself to a record-keeping 
organization and what he seeks in return (to minimize 
intrusiveness); 

(2) to open up record-keeping operations in ways that will 
minimize the extent to which recorded information about an 
individual is itself a source of unfairness in any decision about 
him made on the basis of such information (to maximize 
fairness); and 

(3) to create and define obligations with respect to the uses and 
disclosures that will be made of recorded personal informa- 
tion (to create a legitimate, enforceable expectation of 


confidentiality.) y 


In the insurance area, as in others it has studied, the Commission also 
believes that giving an individual certain rights without placing correspond- 


ing obligations on the institution with whom he has the primary record- 


CamScanner 


184 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


keeping relationship is not likely to bring about adequate remedial action. 
Thus, the Commission believes that insurance institutions and insurance. 
support organizations must assume greater responsibility for their personal- 
data record-keeping practices. In some cases, this can be accomplished by 
bringing the forces of the marketplace to bear on record-keeping policy and 
practice, through voluntary adoption of standards set forth in this report, or 
through court action by individuals to enforce their rights. In others, 
government agencies should also be called upon to play monitoring and 
corrective roles. The Commission believes that both parties will benefit from 
this approach. The individual’s position with respect to the records the 
insurance relationship generates about him will be strengthened, while 
insurers and insurance-support organizations will be assured of obtaining 
the kind of information that promotes fair and efficient operations. Greater 
confidence in insurance institutions and their role in society should result 
from opening up the process in this way. a 

One of the major reasons legislation is needed is that the individual is 
currently at a disadvantage in the insurance relationship. Some of the 
Commission’s recommendations have attempted to protect the applicant, 
policyholder, or claimant by placing certain restraints on the insurer— 

limiting certain collection techniques, creating standards for the authoriza- 

. tion forms used, and requiring reasonable procedures in the collection, use, 
and disclosure of information about an individual. The Commission’s aim, 
however, is not so much to constrain insurance institutions and support 
organizations as it is to enhance the position of the individual so that he can 
protect his own privacy interests. To this end, the Commission has 
concluded that the insurer should inform the individual of the scope of its 
underwriting inquiry by a clear notice and an adequate authorization form; 
that the subject of an investigative report should be interviewed if he SO 
desires; and that a mechanism should be created whereby the individual can 
question the propriety of a specific type of inquiry made in connection with 
an insurance decision about him. These recommendations are designed to 
give the individual a central role in the record-keeping practices (including 
information collection) of the insurance industry. 

The ability of the individual to protect himself depends upon the 
knowledge he has of the records that are made about him. Thus, an 
individual should have access to a record about himself and a mechanism 
should exist whereby disputes concerning the accuracy of such a record can 
be settled. Access and correction rights are also needed to enable the 
individual to protect himself from investigations which exceed the scope of 
the notice he is given at the time he seeks to establish a relationship with an 
Insurer, and to assure that the records maintained about him are accurate, 
timely, and complete. In addition, the individual should be informed of the 
reasons for an adverse decision about him and the specific information 
which supports those reasons, so that he can protect himself from unfair 
treatment resulting from the use of inaccurate, obsolete, or incomplete 
information. 

,.._ This approach is not simply intended to be a procedural one. Rather, it 
is intended that the dynamics of the relationship between the insurer and the 


CamScanner 


The Insurance Relationship 185 


individual, rather than action by a legislature or regulator, will create certain 
standards governing the collection, maintenance, use, and disclosure of 
information by insurance institutions and support organizations. The 
Commission believes that notice, access, dispute, and an enforceable 
expectation of confidentiality are the tools an individual must have if he is to 
lay an effective role in preventing the record-keeping practices of insurance 
institutions and support organizations from trespassing on his privacy 
interests. Armed with them, he can exert constructive pressure upon an 
insurer or agent. Even where the abuse concerns an insurance-support 
organization, pressure will be most effective on the insurer or agent, because 
the individual has a direct relationship with them, and because the prospect 
of adverse publicity that could affect the insurer’s position in the market- 
place provides the insurer with more incentive to be responsive than the 
support organization. 
Overall, the Commission believes that the strategy it proposes for 
oe these recommendations is a reasonable and practical one in 
that it: 


° uses existing regulatory and legislative mechanisms to the 
maximum extent possible; 

e keeps the cost of administration and compliance at acceptable 
levels; 


° provides inducements to comply willingly so that disputes 
over compliance can be kept to a minimum; and 

. provides reasonable protection against liability for uninten- 
tional failure to comply, coupled with appropriate penalties 
for willful failure to comply. 


As previously noted, because insurance is regulated primarily by State 
Insurance Departments, the Commission believes that the responsibility for 
implementing some of its recommendations should be properly lodged at 
the State level. In addition, the personal-data record-keeping practices of 
insurance institutions are also regulated to some extent by the Federal Fair 
Credit Reporting Act which the Commission believes is the proper vehicle 
for implementing recommendations that aim to strengthen the insurance 
relationship by eliminating artificial distinctions between the record-keeping 
practices of insurance institutions and the record-keeping practices of their 
support organizations. Finally, for reasons that are fully elaborated in 
Chapter 9 on government access to records about individuals maintained by 
organizations in the private sector, the Commission has concluded that the 
enforceable expectation of confidentiality it recommends must be imple- 
mented by Federal statute. 

It should be noted, moreover, that the recommendations to be 
implemented by Federal statute, including those that would be implemented 
by amending the Fair Credit Reporting Act, give the individual actionable 
rights against insurance institutions and support organizations. The Com- 
Mission has explicitly rejected the establishment of a Federal regulatory 
structure that could be quite costly both to the taxpayer and to the ca a 
Industry. Instead, by making those who do not comply civilly liable for their 


CamScanner 


186 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


failure to do so, and by making it comparatively easy for such actions to be 
brought, the Commission believes that a strong incentive for systemic 
reform will be created without subjecting those who favor reform to 
unnecessarily costly government regulation. The burden will fall on those 
who by their actions willfully and repeatedly disregard their responsibilities 
rather than on those who make a good faith effort to comply fully. In short, 
the implementation of the Commission’s recommendations is designed to 
place an increasing financial burden on those companies who encourage 
costly disputes by ‘resisting openness, or who fail to adopt reasonable 
procedures to control the collection, use, or disclosure of records about 
individuals. 

Finally, insurance institutions should not be unduly exposed to 
liability which arises only because of the openness of the process. The 
objective of the Commission’s recommendations is to cleanse the system of 
decisions based on inaccurate or incomplete information; not to create 
windfall recoveries for bad information or practices of the past. 

Definitions for some of the terms used in the recommendations and 


discussion which follow may be found in the glossary at the end of this 
chapter. | 


Intrusiveness 


The Commission’s first three recommendations address the scope and 
character of the inquiry to which an insurer may require an individual to 
submit as a condition of establishing or maintaining an insurance relation- 
ship. Because insurance is concerned with the protection of individuals or 
personal property, the process of granting insurance coverage necessarily 
involves intrusions on personal privacy. The question is simply (or perhaps 
not so simply) how much of an intrusion and by what methods. 


GOVERNMENTAL MECHANISMS 


For some years now, controversies over the propriety of asking certain 
kinds of questions of an individual have generally centered on the relevance 
of the information sought to the decision to be made. For example, the 
_ Privacy Act of 1974 requires each Federal agency to limit its collection, 

maintenance, use and dissemination of information about individuals to 
that which “is relevant and necessary” to a purpose the agency is required to 
perform by statute or Executive Order.89 The California Insurance 
Department, relying on its authority to prevent unfairly discriminatory 
practices, investigates the relevance of certain items of information used by 
insurers doing business in the State and may prohibit the use of any item 
whose relevance to underwriting decisions or pricing cannot be demon- 
strated to the Department’s satisfaction. . / 
_A related, and in many respects more difficult, question concerns 
inquiries which, while demonstrably relevant, are objectionable on other 
grounds. Legislatures may prohibit, and have prohibited, the use of certain 


895 U.S.C. 552a(e)(1). 





689 CamScanner 


The Insurance Relationship | 187 . 


items of information on fairness grounds. Race, for example, has been 
excluded as an eligibility or rating criterion for life underwriting even 
though its relevance to life expectancy can be demonstrated. On the other 
hand, the Privacy Act of 1974 strives, not very successfully, to ban the 
collection and use of information pertaining to an individual's exercise of his 
First Amendment rights on the grounds that such inquiries by government 
agencies constitute an unwarranted invasion of personal privacy, i.e., that 
they fail the test not of relevance or fairness, but of propriety.9! 

Thus far, there have been few instances in which items of personal 
information have been proscribed on grounds of impropriety, 1.e., unwar- 
ranted intrusiveness. In the insurance area, California has come close in 

roscribing the collection and use of information concerning “moral life- 
style.”92 The California approach is almost unique among State insurance 
regulatory authorities and all the California Department's other investiga- 
tions, except for “moral life-style,” have turned on other issues, such as 
fairness. In some cases regulation has not been necessary because the 
impropriety of certain types of inquiries is universally recognized. An 
example would be collection of information about an individual from his 

riest, minister, or rabbi. 

It should be noted, moreover, that fairness and propriety issues usually 
cannot be dealt with in the same way. As briefly discussed in Chapter 2, 
when fairness is the overriding concern, such as in the Equal Credit 
Opportunity Act as amended, //5 U.S.C. 1691 et seq.], continued collection 
of certain information may be necessary to demonstrate that it is no longer 
being used to make decisions about individuals. For example, one cannot 
show that sex and race are not being systematically used to make credit 
decisions unless one can show that credit has been extended to women and 
minorities in proportion to their relative numbers in the credit grantor’s 
market. And the most practical way to do that may well be to have the credit 
grantor record the sex and race of all applicants. This, however, is much 
different from situations where impropriety is the reason for proscribing 
information: There, the first act must be to prohibit collection, since the 
problem lies primarily in the asking of the question. Use may also be 
prohibited in such a situation but only to make sure that the information is 

- totally excluded from the decision-making process. 

The Commission believes that, in the future, society may have to cope 
with objections to the collection of certain information about an individual 
on the grounds that it is “nobody’s business but his own.” In some cases, 
these propriety issues may be resolved by prohibiting an inquiry on the 
grounds that it is irrelevant, but in others, where relevance can be 





% See, for example, Vital Statistics of the United States, 1972, Vol. 1I—Morality, Part A. Table 
5-3, Expectation of Life at Single Years of Age by Color and Sex, United States, 1972 (pp. 5-8), 
published by U.S. Department of Health, Education and Welfare, Public Health Service, 
i Resources Administration, National Center for Health Statistics, Rockville, Maryland: 

°15 U.S.C. 552a(e)(7). Pas 

® Testimony of the California Department of Insurance, Insurance Records Hearings, May 
20, 1976, p. 497; Letter from Angele Khachadour, California Department of Insurance, to the 
Privacy Commission, July 30, 1976. California ‘Department of Insurance, Ruling No. 204. 


CamScanner 


188 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


iption may be necessary on propriety grounds alone. In 
i aha te diet aucsions of this qanute are best resolved on a case- 
by-case basis. One must be concerned about undue government interference 
in such controversies. The Commission: believes, moreover, that all such 
determinations must be prospective, so as to avoid retroactive punishment 
for behavior which at the time was wholly consistent with prevailing societal 
expectations and norms. However, the Commission also believes that 
institutional mechanisms are needed so that such questions can be raised 
and resolved. ; Bi 

Insurers have historically enjoyed considerable latitude in determining 
what information is and is not necessary to a given decision about an 
individual. Underwriting is far from an exact science. Moreover, industry 
spokesmen argue that the cost of collecting information: is a powerful 
enough incentive to collect only relevant information. Yet others claim that 
insurance institutions collect a great deal of information whose relevance is 
questionable. Indeed, the industry has been criticized for not taking 
advantage of its actuarial and computer expertise to refine its relevance 
criteria. 

To a large extent, the relevance-propriety issue in insurance stems 
from some insurers’ belief that they should insure only those of “high moral 
character,” and should shun those whose mode of living differs from what 
society considers normal. In a society as diverse as ours, however, 
determining what “society considers normal” is no easy task, and relying on 
the independent judgment of underwriters to make this determination has 
led to considerable difficulties. 

The Commission is mindful of the complexities that lie beneath the 
surface of the relevance-propriety issue in the insurance area. It is aware that 
a few States have taken an interest in certain insurance-related inquiries. 
Most, however, have not. The Commission, moreover, is not fully persuaded 
that the problem can be handled exclusively through market mechanisms. 
Although Recommendation (5) (see below) seeks to set corrective market 
forces in motion, the necessity of insurance in today’s society may make it 
difficult for individuals to make their objections felt. Furthermore, should 
there be sentiment in favor of banning a particular category of inquiry, 
irrespective of its relevance, some way will have to be found for society to 
estimate and consider the cost involved in such an action and the way in 
which the cost will be distributed. Thus, in light of all these considerations, 
and out of its desire to eliminate unreasonable invasions of personal privacy, 
the Commission recommends: - 


Recommendation (1): 


That _8overnmental mechanisms should exist for individuals to 
question the propriety of information collected or used by insurance 
institutions, and to bring such objections to the appropriate bodies 
which establish public policy. Legislation specifically prohibiting the 
use, or collection and use, of a specific item of information may result; 
_” OF an existing agency or regulatory body may be given authority, or 


| 
CamScanner 


The Insurance Relationship 189: 


use its currently delegated authority, to make such a determination 
: with respect to the reasonableness of future use, or collection and use, 
of a specific item of information. 


To implement this proposal, the Commission recommends that each 
State Insurance Commissioner collect individuals’ complaints and questions 
concerning the propriety of particular types of inquiries, prepare periodic 
summary reports on the number of questions and complaints by category, 
and make them available to legislative bodies. If already authorized by the 
legislature, the Commissioner may take action. In California, for example, 
the legislature empowered the Commissioner to promulgate rules and 
regulations under the unfair trade practices article of the State insurance 
laws and the Commissioner then used that authority to declare discrimina- 
tion based on sex, marital status, or sexual orientation a prohibited 
practice.93 /§790.03 and 790.10 of the California Insurance Code]. The rules 
the Commissioner adopts may prohibit the use of certain information in one 
line of insurance but not in another. Furthermore, within a given line of 
insurance, the Commissioner might allow certain information to be used as 
the basis for rating or determining risk, but not unless it has an impact on 
one or the other. For example, inquiry into the fact of cohabitation might be 
relevant in determining use of a vehicle, a valid rating criterion, but the mere 
fact of cohabitation, unrelated to vehicle use, could not be the basis of an 
underwriting or rating decision. . 

_ Currently, most Insurance Commissioners could address the use of 
irrelevant information under their. general authority to hold hearings and 
issue cease and desist orders in connection with undefined unfair trade 
practices. The Commission believes, however, that the rule-making tech- 
nique is fairer and more effective than looking one at a time at possible 
violations of a general prohibition against unfair trade practices. Not only 
will more insurers than the one offender have a say in the wisdom of the 
Commissioner’s proposed prohibition, but the Commissioner’s decision will 
only be subject to the narrow judicial review generally applied to rule- 
making decisions. The Federal Insurance Administrator could also collect 
the reports compiled by the State Insurance Commissioners and periodically 
report on them to the Congress. 

An alternate and not mutually exclusive suggestion is that the Federal 
Insurance Administrator, or another appropriate Federal entity, collect 
complaints concerning the propriety of insurance inquiries directly from 
individual consumers and from time to time report and make recommenda- 
tions on them to the Congress. It is not recommended, however, that the 
Federal Insurance Administrator have the rule-making authority urged for 
State Insurance Commissioners, since regulation of information practices 
within the insurance industry is currently a State function. 

of 
a 


PRETEXT INTERVIEWS 


As indicated earlier, Factual Service Bureau obtained some of its 





93 Tbid. 


ba 


6859 CamScanner 


190 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


information through pretext interviews or other false or misleadin 
representations.°4 A pretext interview is one in which the inquirer (1) 
pretends to be someone he is not; (2) pretends to represent someone he does 
not; or (3) misrepresents the true purpose of the interview. Mere silence on 
any or all of these points would not normally constitute a pretext interview, 
Indeed, an investigator could refuse to identify himself, his client, or the 
purpose of the inquiry, letting the person of whom the inquiry is being made 
infer whatever he wishes from such behavior. Nonetheless, an investigator 
dressed in a white lab coat making inquiries of a clerk in a hospital medical 
records room would be conducting a pretext interview if he allowed the clerk 
to assume he was a properly credentialed medical professional. 

As pointed out in several chapters of this report, the Commission 
believes that some investigative practices are unreasonably intrusive, or at 
least have a high potential for depriving an individual of even a modicum of 
control over the disclosure of information about himself. An investigator 
conducting a pretext interview clearly raises that prospect. Thus, out of its 
desire to prevent unreasonable invasions of privacy resulting from the 


techniques used to collect information about individuals, the Commission 
recommends: 


Recommendation (2): 


_ That the Federal Fair Credit Reporting Act be amended to provide 
that no insurance institution or insurance-support organization may 
attempt to obtain information about an individual through pretext 
interviews or other false or misleading representations that seek to 
conceal the actual purpose(s) of the inquiry or investigation, or the 
identity or representative capacity of the inquirer or investigator. 


This recommendation would apply to all insurance inquiries—whether 
for underwriting or first- or third-party claims. The prohibition would be 
enforceable by the Federal Trade Commission (FTC) against organizations 
that collect information by means of pretext interviews. An organization 
would be able to defend itself against an FTC action on the basis that it had 
taken reasonable steps and instituted reasonable procedures to prevent such 
activity. The use of pretext interviews should be made a civil offense, 
punishable by fines and cease and desist orders. 


REASONABLE CARE IN THE USE OF SUPPORT ORGANIZATIONS 


The reported practices of Factual Service Bureau also raise a 
legitimate concern about the care with which insurance institutions select 
and use the services of Support organizations. An institution should not be 
totally unaccountable for the activities of others who perform services for it. 
The Commission believes that an insurance institution should have an 
affirmative obligation to check into the modus operandi of any “support 


94 Testimony of Dale Tooley, District Attorney, Denver, Colo., Medical Records, Hearings 
before the Privacy Protection Study Commission, June 11, 1976, pp. 456 - 511. 





CamScanner 


The Insurance Relationship 191 


organizations it uses or proposes to use; and that if an insurance institution 
does not use reasonable care in selecting or using such organizations, it 
should not be wholly absolved of responsibility for their actions. Moreover, 
a like obligation should obtain where one support organization uses the 
services of another. 

Currently, the responsibility of an insurance institution for the acts of 
a support organization depends upon the degree of control the insurance 
institution exercises over the support organization. Most insurance-support 
organizations are independent contractors who traditionally reserve the 
authority to determine and assure compliance with the terms of their 
contract. Thus, under the laws of agency, an insurer may be absolved of any 
liability for the illegal acts of a support organization if those acts are not 
required by the terms of the contract.% In the Commission’s opinion, the 
Factual Service Bureau case illustrates why this is not desirable. According- 
ly, to deal with the responsibility of the institution that uses others to gather 


information about individuals for its own use, the Commission recom- 
mends: 


Recommendation (3): 


That the Federal Fair Credit Reporting Act be amended to provide 
that each insurance institution and insurance-support organization 
must exercise reasonable care in the selection and use of insurance- 
support organizations, so as to assure that the collection, mainte- 
nance, use, and disclosure practices of such organizations comply with 
the Commission’s recommendations. 


If it could be shown that an insurance institution had hired or used a 
support organization with knowledge, either actual or constructive, that the 
organization was engaging in improper collection practices, such as pretext 
interviews, an individual or the Federal Trade Commission could initiate 
action against both the insurance institution and the support organization 
and hold them jointly liable for the support organization’s actions. 


Fairness 


THE REASONABLE PROCEDURES OBJECTIVE 


As a general objective guiding the personal-data record-keeping 
practices of insurance institutions and their support organizations, the 
Commission recommends: 





% See, e.g., Milton v. Missouri Pacific Ry. Co., 193 Mo. 46, 91 S.W. 949 (1906); Inscoe v. Globe 
Jewelry Co., 200 N.C. 580, 157 S.E. 794 (1932). However, recent decisions in a few jurisdictions 
indicate that under certain circumstances, one who contracts with a private investigator may 
not thereby insulate himself from liability for unlawful acts committed by the investigator by 
merely arguing that they were outside the scope of the contract. Ellenberg v. Pinkerton’s, Inc., 
124 Ga. App. 648, 188 S.E. 2d 911 (1972); Noble v. Sears, Roebuck and Co., 33 Cal. App. 3d 654, 
109 Cal. Rptr. 269, 73 A.L.R.3d 1164 (1973). 4 ; 


CamScanner 


192 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


Recommendation (4): 


That cach insurance institution and insurance-support organization, 
in order to maximize fairness in its decision-making processes, have 
reasonable procedures to assure the accuracy, completeness, and 
timeliness of information it collects, maintains, or discloses about an 
individual. 


Subsection 3(e)(5) of the Privacy Act of 1974 requires each Federal 
agency to 


collect, maintain, use and disclose® all records which are used by the 
agency in making any determination about any individual with such 
accuracy, relevance, timeliness, and completeness as is reasonably 
necessary to assure fairness to the individual in the determination. 


This provision is a requirement on management wholly independent of 
the rights the Act gives an individual. For a Federal agency whose 
administrative procedures are subject to congressional oversight, it is an 
appropriate requirement.9? The same, however, cannot be said of its 
applicability to the private sector. 

As pointed out in Chapter 1, the Commission believes that the mix of 
rights and obligations its private-sector recommendations would establish 
are in themselves incentive enough to foster the kind of management 
attention to personal data record-keeping policy and practice that subsec- 
tion 3(e)(5) of the Privacy Act requires. Thus, the Commission does not 
recommend that Recommendation (4) be incorporated in statute or regula- 
tion. Rather it envisages Recommendation (4) being implemented automati- 
cally as a consequence of the adoption of the other recommendations in this 
section, particularly Recommendations (10), (11 ), (12), (13), and (16), on 
access, correction, adverse: decisions, disclosure of information from proper 
medical sources, and Recommendations (5), (6), and (17), on notice and 
disclosure. - 

The adoption of these recommendations will promote the mainte- 
nance of reasonable procedures by insurance institutions to assure the 
accuracy, completeness, and timeliness of information and provide a means 
whereby information collected, maintained, or disclosed may be corrected 
or updated by the individual. 


FAIRNESS IN COLLECTION 
NOTICE REGARDING COLLECTION FROM THIRD PARTIES 


As indicated in the discussion of Recommendation (1), the Commission 
believes that the type of governmental mechanism called for should be used 
mainly in instances where the forces of the marketplace are not strong 


% The Act’s definition of “maintain” includes all four record-keeping functions: collection, 
maintenance, use, and dissemination. 


_ * For more detailed discussion of this requirement, and the problems agencies have had 
implementing it, see Chapter 13. e 


CamScanner 


The Insurance Relationship 193 


enough to induce the elimination of objectionable items from the insurer’s 
scope of inquiry—for example, items that are demonstrably relevant but 
nonetheless objectionable on the grounds of propriety. To make market 
forces work to the advantage of the insurance purchaser, however, he must 
know the type of information that may be developed and considered in the 
decision-making process for an insurance transaction. Otherwise, he has no 
way of judging whether to take his business elsewhere. The application form 
itself serves to apprise the individual of some of the information that will be 
gathered about him, but as previously pointed out, the application normally 
gives at best only faint clues as to the type of inquiry that may be made of 
sources other than the individual himself. 

Thus, to minimize the need for public-policy determinations as to the 
propriety of an insurer’s inquiries about an individual, as well as inform the 
individual of the disclosures that must be made in order to obtain a 
favorable decision on his insurance application, the Commission recom- 
mends: 


Recommendation (5): 


That an insurance institution, prior to collecting information about an 
applicant or principal insured from another person in connection with 
an insurance transaction, notify him as to: 


(a). the types of information expected to be collected about him 
from third parties and that are not collected on the application, 
and, as to information regarding character, general reputation, 
and mode of living, each area of inquiry; 

(b) the techniques that may be used to collect such types of 
information; 

(c) the types of sources that are expected to be asked to provide 
each type of information about him; 

(d) the types of parties to whom and circumstances under which 
information about the individual may be disclosed without his 
authorization, and the types of information that may be 
disclosed; 

(e) the procedures established by statute by which the individual 
may gain access to any resulting record about himself; 

(f) the procedures whereby the individual may correct, amend, 
delete, or dispute any resulting record about himself; 

(g) the fact that information in any report prepared by a consumer- 
reporting agency (as defined by the Fair Credit Reporting Act) 
may be retained by that organization: and subsequently dis- 
closed by it to others. ” 


Recommendation (5) would not apply to information collected for first- or 
third-party claims or for marketing purposes where the information is 
collected prior to the initial application. In all other cases, however, it would 
provide the individual with information about the scope of inquiry to which 
he is agreeing; the manner in which the inquiry will be conducted (e.g., 


CamScanner 


194 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


through interviews of neighbors and associates) and the disclosures other 
institutions may possibly make in response to an inquiry from the insurer or 
an insurance-support organization. Most importantly, it would apprise the 
individual of the types of uses that may later be made of information 
without his authorization—for example, of medical-record information 
acquired by the insurer, or of “adverse information” acquired and retained 
by an investigative-reporting agency—while at the same time anticipating 
his need or desire to see and copy, or correct, information developed in the 
course of the inquiry. Thus, the recommendation would provide the 
individual with a detailed map of the information flows attendant upon the 
relationship he proposes to establish with the insurer. 

It should be noted, moreover, that the subsection (a) requirement to 
notify as to “each area of inquiry” when information regarding character, 
general reputation, and mode of living is to be collected from a third party 
anticipates a level of specificity finer than currently considered acceptable 
under the Fair Credit Reporting Act. Furthermore, while the recommenda- 
tion does not apply to information collected in connection with first- or 
third-party claims or for marketing purposes prior to the time the individual 
submits his application, the subsection (d) requirement to notify the 
individual of those parties to whom the information may be disclosed 
without his authorization would include notice of the fact that information 
on first-party property and liability claimants is sometimes disclosed to the 
loss indexes and the Insurance Crime Prevention Institute. 

While unanimously agreeing that the type of notice called for in 
Recommendation (5) is necessary to solve the problems it addresses, the 
Commission was concerned about its practicality. One insurer, however, 
drafted an example which showed that the requirements of Recommendation 
(5) could be met by a notice that is neither unreasonably lengthy nor 
unreasonably complex. 

As to implementation, while the Fair Credit Reporting Act governs 
notice requirements to some extent, Insurance Commissioners can also 
independently monitor industry compliance through their hearing authority 
under unfair trade practices laws as well as their authority to approve 
certain application forms. Finally, Recommendation (5) may be self-enforc- 
ing because Recommendations (11) and (12), if adopted, will give the 
individual a right to have information beyond the scope of the notice given 


him deleted from any resulting underwriting or support-organization record 
about him. 


NOTICE AS THE COLLECTION LIMITATION 


The notice given pursuant to Recommendation (5) will be useless if the 
Insurer's inquiry goes beyond what the notice anticipates. Furthermore, as 
indicated in the discussion of Recommendation (3) on reasonable care in the 
Selection of support organizations, one of the problems with the insurance 
relationship is the degree to which it is attenuated by the insurer’s frequent 


reliance on independent contractors in gathering information about 
individuals. 


io. y 


CamScanner 


The Insurance Relationship 195 


Thus, to assure that there will be consistency between the scope, 
techniques, and sources described in the Recommendation (5) notice and the 
actual inquiry that takes place, the Commission recommends: 


Recommendation (6): 
That an insurance institution limit: 


(a) its own information collection and disclosure practices to those 
specified in the notice called for in Recommendation (5); and 

(b) its request to any organization it asks to collect information on 
its behalf to information, techniques, and sources specified in 
the notice called for in Recommendation (5). 


Like the notice recommendation itself, this recommendation does not apply 
to information collected in connection with first- or third-party claims or for 
marketing purposes where the information is collected prior to the initial 
application. Compliance with Recommendation (6) could be verified through 
the correction procedures called for in Recommendations (11) and (12) as 
well as Insurance Department examinations. If an individual finds that the 
insurer has information beyond that specified in the notice, the individual 
should be able to have it deleted from his record. 


INFORMATION FOR MARKETING AND RESEARCH 


Subsection 3(e)(3) of the Privacy Act of 1974 requires agencies to 
advise individuals whether the divulgence of particular items of information 
is mandatory or voluntary and the consequences of refusing to divulge them. 
The mandatory and voluntary concepts, however, have little meaning in the 
private sector, inasmuch as an individual’s divulgences are all “voluntary” 
and an insurance institution can make “mandatory” anything it wishes. As a 
practical matter, an individual may have little choice but to comply with 
whatever requests for information are made of him. An example of the 
trepidation this can cause will be found in the discussion of the Blue Cross- 
Blue Shield psychiatric claims form in Chapter 7, on the medical-care 
relationship. Since this is so, insurance institutions should at least indicate 
on their application forms any requested information which is unnecessary 
for insurance coverage determination purposes but which is sought for 
marketing, research, or other purposes. Otherwise individuals will have no 
way of knowing whether such inquiries are necessary, and thus whether they 
should bring pressure on the insurer to make the inquiries truly voluntary. 
Accordingly, the Commission recommends: 


Recommendation (7): 


That any insurance institution or insurance-support organization 
clearly specify to an individual those items of inquiry desired for 
marketing, research, or other purposes not directly related to 
establishing the individual’s eligibility for an insurance benefit or 


6859 CamScanner 


196 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


service being sought and which may be used for such purposes in 
individually identifiable form. 


This recommendation, which would not apply to third-party claim 
transactions, should be voluntarily complied with by insurers and support 
organizations. While the determination of what is required to establish 
eligibility is left to the individual company and will undoubtedly vary to 
some degree, fairness to the individual requires that he be apprised of those 
items of information desired, but not required by the company to determine 
acceptability or price. 


AUTHORIZATION STATEMENTS 


The authorization forms used by the insurance industry determine 
what information insurance institutions and their support organizations can 
obtain from those with whom an individual has a confidential relationship. 
Many authorization forms now in use are so broad as to constitute an 
invitation to abuse. Many do not indicate that they will be used by 
investigative-reporting agency representatives to develop inspection reports 
Or acquire medical-record information to be transmitted to the insurer. 
Many do not indicate that they will be used to get credit reports, or 
information from banks and other organizations. 

Although today, banks, employers, and some other types of record- 
keeping organizations may be willing to disclose certain information about 
an individual without his authorization, the Commission’s recommenda- 
tions with respect to those types of organizations would make obtaining the 
individual’s prior authorization necessary. When that happens, as well as in 
those situations where record keepers have confidential relationships with 
individuals today, such as in the medical-care relationship, the record keeper 
on whom the duty of confidentiality rests will be the final arbiter of what 
constitutes a valid authorization. As a practical matter, however, such a 
record keeper may be hard-pressed to refuse to honor a broadly worded 
authorization if the result is grave inconvenience to the individual or refusal 
to reimburse the record keeper for services already rendered to the 
individual. Thus, to set the standards whereby those who have a duty of 
confidentiality to an individual.may properly be asked to disclose informa- 
tion about him to others, the Commission recommends: 


Recommendation (8): 


That no insurance institution or insurance-support organization ask, 
require, or otherwise induce an individual, or someone authorized to 
act on his behalf, to sign any statement authorizing any individual or 
institution to disclose information about him, or about any other 
individual, unless the statement is: i 

(a) in plain language; 

(b) dated; 


(c) specific as to the individuals and institutions he is authorizing to 


CamScanner 


beue 


The Insurance Relationship 197 


disclose information about him who are known at the time the 
authorization is signed, and general as to others whose specific 
identity is not known at the time the authorization is signed; 

(d) specific as to the nature of the information he is authorizing to 
be disclosed; 

(e) specific as to the individuals or institutions to whom he is 
authorizing information to be disclosed; 

(f) specific as to the purpose(s) for which the information may be 
used by any of the parties named in (e), both at the time of the 
disclosure and at any time in the future; 

(g) specific as to its expiration date which should be for a 
reasonable period of time not to exceed one year, and in the 
case of life insurance or noncancelable or guaranteed renewable 
health insurance, two years after the date of the policy. 


The requirements of Recommendation (8) are not as severe as they may 
seem. Life and health insurance institutions regularly obtain authorizations 
as a part of their applications.- Because of the individual’s. need for 
insurance, :he exercises little bargaining. power over the terms of the 
authorization. If a claim is involved, the authorization is obtained as a 
condition to considering the claim. It does the claimant little good to refuse 
to sign the authorization, for then he must go through the burden of suing 
the insurer, and even then much of the information will be available during 
discovery. Because insurers can basically dictate the terms of the authoriza- 
tion, the Commission concluded that the terms of the authorization needed 
to be specified so that the individual would know what he was agreeing to 
have disclosed, and so that those who held information of a confidential 
nature would know that they had received a valid authorization from the 
individual to release information to others. 

Subsection (f) is especially important because it provides the individu- 
al with a description of the uses that may subsequently be made of 
information obtained about him pursuant to authorization. One particular 
example is that an individual would have to be told that information 
obtained from a medical-care provider in connection with underwriting may 
later be used for claim purposes. ; 

Subsection (c) requires the authorization to be as specific as possible. 
It must specifically name those individuals and organizations authorized to 
release information about him who are known at the time the authorization 
is obtained. But if, for instance, an insurer subsequently learns of an 
attending physician whom the individual has not revealed, then the more 
general language of the authorization can be used with regard to that 
physician. Returning to the individual every time an insurer learned of a 
new source would be expensive and, in some cases, distressing to the 
individual, since it could delay processing of his application. Moreover, the 
Subsequently identified source, a physician, for example, would still only be 
asked to disclose information of the sort described pursuant to subsection 
(d) and for the purpose specified pursuant to subsection (f). In addition, the 
Individual would ultimately be able to identify every record-keeper contact 


Ps 


CamScanner 


198 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


by exercising the access rights Commission Recommendations (10) and (13), 
below, would give him. 

Subsection (g) limits the validity of the authorization to a reasonable 
period of time not to exceed one year. The only exceptions to this are for life 
insurance and noncancelable or guaranteed renewable health insurance 
where an authorization signed in connection with an application would be 
valid for two years from the date of the policy. Those types of policies, it will 
be remembered, are contestable for two years after they are issued and 
during that period an insurer needs to be able to protect itself from fraud or 
misrepresentation at the time of application. 

Recommendation (8) would be implemented through the refusal of a 
holder of confidential information to release it unless presented with a valid 
authorization. It has also been suggested to the Commission that the 
National Association of Insurance Commissioners or the Commission on 
Uniform State laws might well develop standard authorization forms to 
achieve and facilitate the desired uniformity. Further, it should be noted 
that the necessary generality permitted by parts of Recommendation (8) need 
not apply to an insurance institution that obtains an authorization from an 
applicant, insured, or claimant permitting it to release confidential informa- 
tion to others. In that case, the authorization form can and should be 
specific as to what information, to whom, and for what purpose. 


INVESTIGATIVE INTERVIEWS 


As a general policy, the Commission believes that record-keeping 
institutions should strive as much as possible to collect information about an 
individual from the individual himself, rather than rely primarily on third- 
party sources. Furthermore, where an investigative report is being prepared, 
such a practice should not just be encouraged; it should be required if the 
individual so wishes. 

Although inaccuracies in investigative reports prepared by inspection 
bureaus were a major stimulus to enactment of the Fair Credit Reporting 
Act, it has not been possible to determine whether the Act has substantially 
reduced the error rate. The major purposes of an investigative report are to: 
(1) verify information supplied by the applicant or his agent; and (2) develop 
information about the applicant’s character, general reputation, and mode 
of living—lines of inquiry which must perforce involve a certain amount of 
subjective evaluation. Moreover, as Chapter 8 points out, it has been alleged 
that some reports get prepared without the investigator ever contacting 
anyone at all. Whatever the merits of that controversy, requiring an 
Interview with the subject of a report as an affirmative requirement will help 
to resolve it and, if industry spokesmen are correct about the usefulness of 
interviews with report subjects, such interviews will improve the quality of 
the information inspection bureaus transmit to their insurer clients. 

Thus, the Commission recommends: | 


6859 CamScanner 


The Insurance Relationship 199 


Recommendation (9): 


That the Federal Fair Credit Reporting Act be amended to provide 
that any insurance institution that may obtain an investigative report 
on an applicant or insured inform him that he may, upon request, be 
interviewed in connection with the preparation of the investigative 
report. The insurance institution and investigative agency must 
institute reasonable procedures to assure that such interviews are 
performed if requested. When an individual requests an interview and 
cannot reasonably be contacted, the obligation of the institution 
preparing the investigative report can be discharged by mailing a copy 
of the report, when prepared, to the individual. 


This recommendation would not apply to any investigative report 
about an individual made in reasonable anticipation of civil or criminal 
action, or for use in defense or settlement of an insurance claim. Nor would 
it require an interview in every instance, since the individual would have to 
request it and presumably would make himself available for the interview. 
Not all individuals will seek such an opportunity. When an individual 
requests an interview and cannot be contacted using reasonable procedures, 
the requirement for an interview can be discharged by mailing a copy of the 
report to him. 

The Commission considered having the interview occur just prior to 
sending the report off to the insurer, on the theory that the individual would 
then be in a position to review the information which had been gathered 
and, if necessary, to correct, amend, or dispute it. However, the Commission 
concluded that the difficulties involved in making a personal contact at a 
specific time could work to the disadvantage of the individual anxious to get 
his insurance application processed. Furthermore, the report is often not 
prepared until the investigator returns to his office. An alternative, also 
considered and rejected, would have required that a copy-of the report be 
sent to the individual at the same time it is sent to the insurer. This was 
rejected because of the cost involved (a copy of every report prepared would 
have to be sent, regardless of whether the report resulted in an adverse 
decision) and because the adoption of Recommendations (10) and (13), 
below, would make the report available to the individual on a see and copy 
basis from either the insurer or the investigative-reporting agency. 

In incorporating this requirement into the Fair Credit Reporting Act, 
it should be made clear that the interview requirement applies to underwnit- 
ng investigations undertaken by insurers themselves as well as by inspection 

ureaus. 


FAIRNESS IN USE 


ACCESS TO RECORDS 


Access to records, as a general concept of fair record-keeping practice, 
should be extended to insurance records. Allowing an individual to see and 
copy a record kept about him can be advantageous to the insurance 


689 CamScanner 


200 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


institution as well as to the individual. As suggested earlier, the records an 
insurance institution maintains about individuals are numerous and can 
serve a variety of functions. Except for medical records (information from 
which insurers also maintain), an insurance institution’s records may 
contain information on more dimensions of an individual’s life than almost 
any other type of record the Commission has examined. Moreover, several 
of the Commission’s other recommendations depend on the individual being 
able to have access to insurance records about himself at times other than 
when an adverse underwriting decision has been made about him. For 
example, the notice requirement proposed in Recommendation (5), and the 
limitation on collection practices in Recommendation (6), depend on the 
individual being able to find out what information-has been collected about 
him.:And, as in other areas, the authorization statement an individual is 
asked to sign allowing an insurer to disclose information about him will be a 
meaningless piece of paper if he cannot learn what he has authorized to be 
disclosed. 

Currently, an individual does not have a legal right to see or even learn 
the nature and substance of information maintained about him by an 
insurer, or by any insurance-support organization not subject to the Fair 
Credit Reporting Act. Moreover, the FCRA only requires an investigative- 
reporting agency to disclose to an individual the “‘nature and substance” of 
information in a report it has prepared about him. /15 U.S.C. 1681(a)(1)] 
The Medical Information Bureau voluntarily gives an individual access to 
the summary data it maintains on him, if he so requests, but the individual 
has no legal right of access to anything held by an insurer, and thus, may not 
be able to figure out why the MIB record says what it does, or get the insurer 
that caused the MIB record to be created to correct errors in it. 

To overcome these deficiencies, the Commission recommends: 


Recommendation (10): 


That the Federal Fair Credit Reporting Act be amended to provide: 


(a) That, upon request by an individual, an insurance institution or 

insurance-support organization must: 

(i) inform the individual, after verifying his identity, whether 
it has any recorded information pertaining to him; and 

(ii) permit the individual :to see and copy any such recorded 
information, either in person or by mail; or 

(iii) apprise the individual of the nature and substance of any 
such recorded information by telephone; and 

(iv) permit the individual to use one or the other of the 
methods of access provided in (a)(ii) and (iii), or both if he 
prefers. 


The insurance institution or: insurance-support organization. may : 
charge a reasonable copying fee for any copies provided to. the 
individual. Any such recorded information should be made available 
to the individual, but need not contain the name or other identifying 


CamScanner 


The Insurance Relationship 201 


particulars of any source (other than an institutional source) of 
information in the record who has provided such information on the 
condition that his identity not be revealed, and need not reveal a 
confidential numerical code. 


(b) That notwithstanding part (a), with respect to medical-record 
information maintained by an insurance institution or an 
insurance-support organization, an individual has a right of 
access to that information, either directly or through a licensed 
medical professional designated by the individual, whichever the 
insurance institution or support organization prefers. 


As far as insurance institutions are concerned, it is the Commission’s 
intention that this right of access be to any reasonably described informa- 
tion about the individual. In the case of an applicant, for example, 
commonly used identifiers such as name and address, coverage requested, 
and possibly date of application, ought to be enough to identify the record 
requested. The fact that information on one individual is contained in a 
record on another would not preclude the first from being able to see and 
copy it so long as he can provide the requisite identifier. Also, an individual 
should be able to see and copy information about other people in a record 
pertaining to himself if it is pertinent to his relationship with the insurer. For 
example, a husband who has an automobile policy that insures both him 
and his wife should be able to review his entire file, including any 
information in it about his wife. Conversely, as an insured, the wife should 
be able to see anything in the file on either herself or her husband. 

The proposed right of access would extend to all records about an 
individual that are reasonably retrievable. Thus, it would include all 
information in a credit or investigative report, except that the identity of a 
non-institutional source (for instance, a neighbor or associate) need not be 
revealed where such a source provided information on the condition that his 
identity not be revealed. The individual, however, would have full access to 
all information such a source provided. 

This, it will be noted, is a major departure from current practice 
wherein an insurer is customarily constrained from disclosing the contents 
of an investigative report to the individual by provisions in its contract with 
the inspection bureau. In the future, if the Commission’s recommendations 
are adopted, such contractual constraints will not be possible. Moreover, 
neither the insurer nor the inspection bureau will be able to withhold the 
identity of any institutional sources. 

The proposed right of access would also extend to medical-record 
information held by an insurer or insurance-support organization, although 
either organization would have the option of disclosing information to the 
individual through a licensed medical professional designated by the 
individual. The medical professional would be obligated to allow the 
Individual to see:and copy it upon request by the individual. 

. Finally, to make his access right convenient to exercise, the recommen- 
dation would allow an individual or a licensed ‘medical professional 
designated by him pursuant to subsection (b), to see and copy records in 





689 CamScanner 


202 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


person or by mail, or to have their nature and substance disclosed b 

telephone. This, too, is a departure from current practice inasmuch as the 
recommendation applies to support organizations as well as insurers, and 
the Fair Credit Reporting Act does not currently require an inspection 
bureau to provide the individual with a copy of an investigative report. 

It should be noted that this recommendation would not apply to any 
record about an individual compiled in reasonable anticipation of a civil or 
criminal action, or for use in settling a claim while the claim remains 
unsettled. After the claim is settled the recommendation would not apply to 
any record compiled in relation to a third-party claimant (ie., a claimant 
who is not a principal insured or policy owner) except as to any portion of 
such a record which is disseminated or used for a purpose unrelated to 
processing the claim. The exception for records compiled in reasonable 
anticipation of civil or criminal litigation would apply regardless of whether 
the insurance institution or support organization envisions being a plaintiff 
or defendant (in a civil action) or a complainant in a criminal proceeding. 
For example, an insurance institution or support organization may be 
compiling information to prove arson on the part of a first-party claimant. 
The insurer may have already paid the claim but is considering prosecution. 
When such an action is no longer reasonably contemplated, the first-party 
claimant’s access right would be established. 

When information is compiled in connection with the settlement of a 
first-party claim, and negotiations are in progress or contemplated, allowin 
access prior to settlement would unbalance the existing legal rights of both 
parties. However, once the first-party claim has been settled, the Commis- 
sion believes that there is no sound justification for continuing to deny 
access. 

The Commission does see the need to distinguish between first- and 
third-party claimants. Recommendation (1 0) creates a very limited right of 
access for a third-party claimant. Whereas the first-party claimant has a 
contractual relationship with the insurer, the third-party claimant, by 
definition, occupies an adversary role and has not entered into a relationship 
with the insurer. Only where information compiled in the course of a third- 
party settlement is used for a purpose other than settling the claim should 
the claimant be allowed access to such information. The principle involved 
is that non-claim decisions should not be made about an individual on the 
basis of records whose contents he cannot know. However, where the 
individual claimant is in an adversary negotiation with the record keeper, 
and existing law creates certain rights of access in the course of litigation, an 
exception to the general right of access recommended by the Commission 
can be justified. Information can be given to loss indexes and others solely 
for claim purposes without violating this exception to access by the 
individual. 

Since Recommendation (10) would be implemented by amending the 
Fair Credit Reporting Act, an individual would be able to compel 
production of a record by an insurance institution or support organization 
_through litigation brought in Federal court or another appropriate court. 
The right would be similar to the one given a citizen by the Federal Freedom 


CamScanner 


The Insurance Relationship 203 


of Information Act. The plaintiff would have to prove that he requested and 
was denied reasonably described records about himself in the possession of 
the insurance institution or support organization, and the burden would be 
on the institution or support organization to present any reason why the 
statute would not be applicable. Courts would have the power to order the 
insurance institution or support organization to disclose the particular 
record or records sought and to award reasonable attorney’s fees and other 
litigation costs to any plaintiff who substantially prevailed. 

Systematic denials of access by an insurance institution or support 
organization could be subject to Federal Trade Commission enforcement, in 
which the remedy would be an order directing the institution or support 
organization to produce records upon request by individuals. Once the 
Federal Trade Commission issued such an order, the insurance institution 
or support organization would then be subject to the usual enforcement 
mechanisms available to the FTC to secure compliance with its orders. 

An alternative to this approach, in the case of insurance institutions, is 
to encourage the States to enact amendments to the unfair trade practices 
sections of their insurance laws to give State Insurance Commissioners the 
authority to enforce the requirements of this recommendation, and of the 
correction and adverse decision rights that Recommendations (11) and (/3) 
would create. If a State failed to enact such legislation, the Federal Trade 
Commission would then be able to exercise its enforcement proceedings, 
using its normal enforcement mechanism with respect to systematic failures 
in that particular State. 

An individual would have no right to money damages based solely 
upon a denial of his access right under Recommendation (10). The burden 
would be on the individual to reasonably describe the document sought and 
the insurance institution or support organization could defend on the basis 
that it cannot reasonably locate or identify the records sought by the 
plaintiff. For example, the individual could sue for any document developed 
as the result of an application for insurance if the individual could identify 
the date and nature of the application. If, however, an individual requested 
any information that relates to him in a file, but could not, with some 
specificity, identify the circumstances pursuant to which such a file would 
have been developed, the insurance institution would not be under an 
affirmative obligation to search manually through each and every document 
to locate a possible passing reference to the individual. 

The Fair Credit Reporting Act currently creates the following 
limitation of liability protection: 


Except as provided in Sections 1681n and 1681o of this title, no 
consumer may bring any action or proceeding in the nature of 
defamation, invasion of privacy, or negligence with respect to the 
reporting of information against any consumer reporting agency, 
any user of information, or any person who furnishes information 
to a consumer reporting agency, based on information disclosed 
pursuant to 168!h or 1681m of this title, except as to false 
information furnished with malice or willful intent to injure such 
customer. {15 U.S.C. 1681h(e)] 


689 CamScanner 


204 PERSONAL PRIVACY IN AN INFORMATION SOCIETy 


The Commission believes that this type of protection should be 
extended to insurance institutions and support organizations in connection 
with recorded information furnished pursuant to either Recommendation 
(10) or Recommendation (13) concerning adverse underwriting decisions. Ip 
addition, because insurers, unlike their support organizations, make 
decisions about individuals, the Commission believes that they should not 
be liable to suit for retroactive coverage where an adverse underwritin 
decision is made on the basis of information which proves to be incorrect 
Thus, an insurance institution or support organization should have no 
liability, including liability for defamation, invasion of privacy or negli- 
gence, with respect to information which had been disclosed to an 
individual, regardless of whether or not that information was created or 
furnished by the insurance institution or insurance-support organization, 
unless false information was furnished to third parties with malice or willful 
intent to injure the individual. 


CORRECTION OF RECORDS 


Giving an individual the right to see and copy a record created for the 
purpose of making a decision about him is of little value if it is not 
accompanied by a right to get erroneous information in the record 
corrected. Both the Privacy Act and the Fair Credit Reporting Act establish 
procedures whereby an individual can correct, amend, or dispute inaccu- 
rate, obsolete, or incomplete information in a record about himself. The 
insurance business stands to gain, moreover, from improving the quality of 
information about individuals available to it. When an individual is denied 
insurance on the basis of an inaccurate record about himself, the insurer also 
suffers through the loss of premium income. Finally, given the observed 
need to strengthen and balance the respective roles of insurer and individual 
within the context of the insurance relationship, and given the fact that there 
is information interchange among insurers (particularly as facilitated by 
inspection bureaus, the Medical Information Bureau, and the loss indexes), 
it is unrealistic to expect the individual to chase an error through every 
insurance-related record-keeping organization to which it may have been 
transmitted. The insurer, the primary record keeper, must assume its fair 
share of responsibility for that task. 

Accordingly, to make the individual’s right of access to an insurance 
record worthwhile, and to improve the quality of recorded information 
available to underwriters and others who make decisions about applicants 
and insureds, the Commission recommends: 


Recommendation (11): 


That the Federal Fair Credit Reporting Act be amended to provide 
that each insurance institution and insurance-support organization 
permit an individual to request correction, amendment, or deletion of 
a record pertaining to him; and y 


(a) within a reasonable period of time: 


6859 CamScanner 


The Insurance Relationship 


(b) 


(c) 


(d) 


(i) . correct or amend (including supplement) any portion 
thereof which the individual reasonably believes is not 
accurate, timely, or complete; and 

(ii) . delete any portion thereof which is not within the scope of 
information the individual was originally told would be 

' collected about him; and 

furnish the correction, amendment, or fact of deletion to any 
person or organization specifically designated by the individual 
who may have, within two years prior thereto, received any such 
information; and, automatically, to any  insurance-support 
organization whose primary source of information on individu- 
als is insurance institutions when. the support organization has 
systematically received any such information from the insur- 
ance institution within the preceding seven years, unless the 
support organization no longer maintains the information, in 
which case, furnishing the correction, amendment, or fact of 
deletion is not required; and automatically to any insurance- 
support organization that furnished the information corrected, 
amended, or deleted; or 

inform the individual of its refusal to correct or amend the 

record in accordance with his request and of the reason(s) for 

the refusal; and 

(i) . permit an individual who disagrees with the refusal to 
correct or amend the record to have placed on or with the 
record a concise statement setting forth the reasons for his 
disagreement; and 


(ii) .in any subsequent disclosure outside the insurance 


.institution or support organization containing information 
about «which the individual has filed a statement of 
dispute, clearly note any portion of the record which is 

. disputed, and provide a copy-of the statement along with 
the information being disclosed; and 


” (iii): furnish the statement of dispute to any person or 


organization specifically designated by the individual who 
may have, within two years prior thereto, received any 
such information; and, automatically, to an insurance- 
support organization whose primary source of information 
on individuals is insurance institutions when the support 
organization has received any such information from the 
insurance: institution within the preceding seven years, 
unless the support organization no longer maintains the 
information, in which case, furnishing the statement is not 
required; and, automatically, to any insurance-support 
organization that furnished the disputed information; 
limit its reinvestigation of disputed information to.those record 
items in dispute. . 


205 


689 CamScanner 


206 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


Recommendation (12): 


That notwithstanding Recommendation (11)(a)(i), if an individual who 
is the subject of medical-record information maintained by an 
insurance institution or insurance-support organization requests 
correction or amendment of such information, the insurance institu- 
tion or insurance-support organization be required to: 


(a) disclose to the individual, or to a medical professional designat- 
ed by him, the identity of the medical-care provider who was the 
source of the medical-record information; and 

(b) make the correction or amendment requested within a reason- 
able period of time, if the medical-care provider who was the 
source of the information agrees that it is inaccurate or 
incomplete; and 

(c) establish a procedure whereby an individual who is the subject 
of medical-record information maintained by an insurance 
institution or insurance-support organization, and who believes 
that the information is incorrect or incomplete, would be 
provided an opportunity to present supplemental information of 
a limited nature for inclusion in the medical-record information 
maintained by the insurance institution or support organization, 


provided that the source of the supplemental information is also 
_ included. 


Although Recommendations (11) and (12) appear complex, they 
contain only two key requirements: 


* that an individual have a way of correcting, amending, 


deleting, or disputing information in a record about himself, 
- regardless of whether the record is held by an insurance 
institution or by a support organization; and 
that the insurance institution or support organization to 
whom the request for correction, amendment, or deletion is 
made, shall have an obligation to propagate the correction, 
amendment, deletion, or statement of dispute in any subse- 
quent disclosure it makes of the information to possible 
recipients within the previous two years whom the individual 
designates; and to any insurance-support organization which 
within the previous seven years has been a regular recipient of 


the type of information, or which was the source of the 
information. 


Regular recipients would include support organizations such as the 
Medical Information Bureau, the Impairment Bureau, or the loss indexes. 


‘nei would mainly be investigative-reporting agencies (inspection 
ureaus). 


The obvious objective of the second set of requirements is toallow for 
a thorough cleansing of industry record systems when inaccurate informa- 
tion is discovered and, in the case of amended or corrected information, t0 


> | 


CamScanner 


The Insurance Relationship a 207 


rovide measures of the completeness and validity of information used in 
making decisions about an individual, thereby reducing the number of 
adverse decisions made on the basis of inaccurate or incomplete informa- 
tion. Furthermore, Recommendations (11) and (12) also provide two 
important vehicles for enforcing compliance with Recommendations (5) and 
(6) on pre-notice and limits on collection practices. 

The requirement to delete information that falls outside the boundar- 
ies set by the notice called for in Recommendation (5), not only from the 
insurer’s records but also from the records of any support organization that 
has collected it, or to which it has been disclosed, not only gives the 
individual a means of holding the insurer to its declarations regarding the 
scope of the inquiry to be made about him, but also enhances the insurer’s 
control over the record-keeping practices of its contractors. In addition, by 
closely wedding the scope of a support organization’s inquiry on behalf of 
each of its clients to each client’s specified needs, the net effect of this 
requirement should be to allow an insurer that spends money on refining its 
relevance criteria and information collection techniques to avoid subsidizing 
other insurers that have not done so. At the present time, the relationship 
between insurer and investigative-reporting agency, for example, is loose 
enough to allow the reporting agency to use an inquiry on behalf of one 
insurer to gather information that can be marketed to others. Today, 
apparently, this is not a serious problem, because there are broad similarities 
among the kinds of reports insurers order. If Recommendation (5) succeeds in 
making privacy protection policy an element in insurers’ competition for 
customers, however, fairness demands that the more socially responsible 
insurers not have to subsidize the practices of their less conscientious 
competitors. 

In addition, subsection (d) limits the reinvestigation of disputed 
information to the items in dispute. The purpose of this provision is to 
prevent the dispute mechanism from becoming an occasion for a wholly new 
intrusion merely because of the questioned accuracy of one item. 

As to Recommendation (12), the rationale and explanation for it will be 
found in the discussion of Recommendation (8) in Chapter 7 on the medical- 
care relationship. 

Like Recommendation (10), neither Recommendation (11) nor Recom- 
mendation (12) would apply to any record about an individual compiled in 
reasonable anticipation of a civil or criminal action, or for use in settling a 
claim while the claim remains unsettled. After the claim is settled, moreover, 
these recommendations would not apply to any record compiled in relation 
to a claimant who is not an insured or policy owner, except as to any portion 
of such a record which is disseminated or used for a purpose unrelated to 
processing the claim. Nor are these recommendations intended to replace 
entirely the current Fair Credit Reporting Act reinvestigation and dispute 
requirements. Although Recommendation (11) would extend the current six- 
month limitation on an inspection bureau’s obligation to propagate 
corrections, amendments, and disputes, it is not intended that this 
recommendation supplant existing Fair Credit Reporting Act requirements 
to reinvestigate and record the current status of information (unless the 


CamScanner 


208 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


complaint is frivolous) or to delete information which can no longer be 
verified. 

The Fair Credit Reporting Act should be amended to allow an 
individual to sue to force compliance with Recommendations (11) and (12) 
and be entitled to reasonable attorney’s fees and other litigation costs if he 
substantially prevails. This would be the sole remedy in the event an - 
insurance institution or support organization fails to comply with the 
requirements of Recommendations (11) and (12), except that an intentional 
or willful refusal to comply could result in up to $1,000 in damages. The 
alternatives for Federal Trade Commission or State regulatory enforcement 
when there are repeated violations have been discussed above in conjunc- 
tion with Recommendation (10) on access and apply equally here. 


ADVERSE UNDERWRITING DECISIONS 


An underwriting decision cannot be fair if it is made on the basis of 
inaccurate information. Both the individual and the insurance institution 
have a common objective in this regard. Currently, however, an insurer that 
makes an adverse underwriting decision about an individual is not required, 
in most cases, to give any clues as to the information that supported it. If the 
information came from an investigative-reporting agency or a credit bureau, 
the insurer must identify the agency or bureau and furnish its address but 
nothing more. Furthermore, as explained earlier, being able to find out from 
a support organization the “nature and substance” of information it 
reported to the insurer is no guarantee that the individual will be able to 
relate what he learns to the decision that was made on the basis of it. The 
“nature and substance” of an investigative report may sound harmless to a 
rejected applicant. How is he to know that something in it, if explained in 
greater detail, might have caused the adverse decision to come out the other 
way? Or if something in the report is inaccurate, how is he to know whether 
it was that particular item that caused the adverse decision and thus the one 
that needs to be followed up? 

Because the investigative-reporting agency’s sources (including institu- 
tional sources) need not be disclosed to the individual, he also has no way of 
knowing to which sources he should go to get an inaccuracy corrected ina 
manner which will persuade the insurance institution that information the 
support organization reported was erroneous. Nor is the insurer under any 
obligation to disclose its own independent sources, such as the Medical 
Information Bureau, or the Impairment Bureau, or a source identified 
through the Medical Information Bureau. Finally, if the individual is 
‘venturesome enough to try to get inaccurate information corrected, he is 
expected to make the decision to do so without necessarily knowing what his 
‘Tights are under the Fair Credit Reporting Act. 

Thus, in order to bring insurance practices in line with current or 


recommended practice in other areas the Commission has examined, the 
Commission recommends: 


CamScanner 


| 2 


The Insurance Relationship 209 


Recommendation (13): 


That the Federal Fair Credit Reporting Act be amended to provide 
that an insurance institution must: 


(a) disclose in writing to an individual who is the subject of an 
adverse underwriting decision: 

(i) _ the specific reason(s) for the adverse decision; 

(ii) the specific item(s) of information that support(s) the 
reason(s) given pursuant to (a)(i), except that medical- 
record information may be disclosed either directly or 
through a licensed medical professional designated by the 
individual, whichever the insurance institution prefers; 

(iii) the name(s) and address(es) of the institutional source(s) 
of the item(s) given pursuant to (a)(ii); and 

(iv) the individual’s right to see and copy, upon request, all 
recorded information concerning the individual used to 
make the adverse decision, to the extent recorded 

- information exists; 

(b) permit the individual to see and copy, upon request, all recorded 
information pertaining to him used to make the adverse 
decision, to the extent recorded information exists, except that 
(i) such information need not contain the name or other 
identifying particulars of any source (other than an institutional 
source) who has provided such information on the condition that 
his or her identity not be revealed, and (ii) an individual may be 
permitted to see and copy medical-record information either 
directly or through a licensed medical professional designated 
by the individual, whichever the insurance institution prefers. 
The insurance institution should be allowed to charge a 
reasonable copying fee for any copies provided to the individual; 

(c) inform the individual of: 

(i) the procedures whereby he can correct, amend, delete, or 
file a statement of dispute with respect to any information 
disclosed pursuant to (a) and (b); and 

(ii) the individual’s rights provided by the Fair Credit 
Reporting Act, when the decision is based in whole or in 
part on information obtained from a consumer-reporting 
agency (as defined by the Fair Credit Reporting Act); 

(d) establish reasonable procedures to assure the implementation of 
the above. 


Recommendation (13) is similar to the recommendation regarding 
adverse credit decisions in Chapter 2. It is, however, even more of a 
departure from current practice in that insurers generally have not had to 
disclose the specific reasons for their adverse underwriting decisions. On the 
other hand, Recommendation (13) differs from its counterpart in the credit 
area in that, like Recommendation (10), above, it takes account of the fact 
that not all sources of information used to make an insurance decision about 


og 
< 
Ps 


689 CamScanner 


210 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


an individual are institutional ones and further, that some adverse insurance 
decisions may be made on the basis of medical-record information. It is 
linked to Recommendations (11) and (12) through subsection (c), which 
requires that the insurer apprise the individual of its own correction, 
amendment, deletion, and dispute procedures, and to Recommendation (4) in 
requiring that the insurer establish reasonable implementation procedures, 
It should be noted that Recommendation (13) applies only to adverse 
underwriting decisions, which the Commission has defined as follows: 


* With respect to life and health insurance, a denial of requested 


insurance coverage (except claims) in whole or in part or an 
offer to insure at other than standard rates; and with respect 
to all other kinds of insurance, a denial of requested insurance 
coverage (except claims) in whole or in part, or a rating which 
is based on information which differs from that which the 
individual furnished; or. 

a refusal to renew insurance coverage in whole or in part; or 
a cancellation of any insurance coverage in whole or in part. 


Since Recommendation (13) would be implemented by amending the 
Fair Credit Reporting Act, an individual would be able to obtain a court 
order from a Federal court or other court of competent jurisdiction to force 
an insurance institution to perform any one of the duties called for if he 
could prove that the insurance institution had failed to do so. This would 
include incomplete disclosure of the specific reasons and underlying 
information. The court would have the power to order the insurance 
institution to comply and to award attorney’s fees to any plaintiff who 
substantially prevailed. Such an action would be the individual’s sole 
remedy, except that the court should also have the power to award up to 
$1,000 to the plaintiff if it is shown that the institution intentionally or 
willfully denied the individual any of the rights Recommendation (13) would 
give him. 

As noted in the discussion of Recommendation (10), the Commission 
believes that a limitation of liability similar to that now provided by the Fair 
Credit Reporting Act should be extended to insurance institutions as well as 
insurance-support organizations. The implementation of Recommendation 
(10) would create no liability on the part of an insurance institution or 
Support organization, including liability for negligence, defamation or 
invasion of privacy, unless the institution or Support organization acted with 
malice or willful intent to harm the individual. 

Like Recommendations (1 Q), (11), and (12), Recommendation (13) 
depends primarily for its enforcement upon the individual’s assertion of his 
rights. As noted above, however, the Commission proposes two alternate 
means of government énforcement where an insurance institution repeated- 
ly or systematically denies the rights granted by Recommendations (10), (11), 
(12), and (13). One alternative is that the Federal Trade Commission would 

‘have the authority to bring enforcement proceedings, using its normal 
enforcement mechanisms. The other would be for the States to be 
encouraged to enact amendments to the unfair trade practices sections of 


CamScanner 


The Insurance Relationship 211 


their insurance laws which would give State Insurance Commissioners the 
authority to enforce the requirements of these four recommendations. 
Should a State enact such legislation, the Federal Trade Commission would 
then be precluded from exercising its enforcement proceedings with respect 
to systematic failures in that particular State. 


DEcISIONS BASED ON PREVIOUS ADVERSE DECISIONS 


In the following chapter, on record keeping in the employer-employee 
relationship, there are several examples of the harm that can result when 
actions taken against an individual by one record-keeping organization 
become the basis for decision making by another. The problem, however, is 
a general one and stems from the tendency of record-keeping organizations 
to make unwarranted assumptions about the validity and currency of 
information generated by other record-keeping organizations. Questions are 
seldom asked about how recorded information came to be and the caveats 
knowledge of those processes should evoke. 

As explained earlier, insurers often ask an applicant whether any other 
insurer has ever declined him, refused to renew a policy, or insured him at 
other than standard rates. While life insurers seem to use this information as 
a guide to finding out more about an applicant, automobile insurers often 
decline applicants solely on the basis of an affirmative response to the 
question. In the Commission’s opinion, this is grossly unfair. The bare fact 
of an adverse underwriting decision is an incomplete item of information; 
the reason for the decision is the important item and it is missing. Indeed, 
using the mere fact of a previous adverse decision as the basis for rejecting 
an insurance applicant is one of the clearest examples the Commission 
found of information itself being the cause of unfairness in a decision made 
on the basis of it. Thus, the Commission recommends: 


Recommendation (14): 
That no insurance institution or insurance-support organization: 


(a) make inquiry as to: 
(i) any previous adverse underwriting decision on an individ- 
ual, or 
(ii) whether an individual has obtained insurance through the 
substandard (residual) insurance market, 


unless the inquiry requests the reasons for such treatment; or 


(b) make any adverse underwriting decision based, in whole or in 
part, on the mere fact of: 
(i) aprevious adverse underwriting decision, or 
(ii) an individual having obtained insurance through the 
substandard (residual) market. y 


An insurance institution may, however, base an adverse 


89 CamScanner 


212 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


underwriting decision on further information obtained from the 
source, including other insurance institutions. 


It will be remembered that in the explanation of Recommendation (1), it 
was noted that when the fairness, as opposed to the propriety, of an item of 
information is at issue, one might both prohibit its use and require its 
collection. In Recommendation (14), however, the Commission proposes that 
an insurer both cease to inquire and cease to use, the reason being that 
compliance will be principally monitored through the individual's exercise 
of his rights pursuant to Recommendation (13) on adverse underwriting 
decisions. State Insurance Commissioners should use their unfair trade 
practices authority, and their authority to review certain application forms 
to assure that adverse insurance decisions are no longer based on the mere 
fact of a previous adverse decision. They should also require that insurers 
collect information about prior declinations only when the reasons for the 
declination are also collected. The Commission hopes, however, that once 
the previous adverse decision problem is well enough and widely enough 
understood, voluntary measures, facilitated by exercise of the statutory 
rights proposed in Recommendation (13), will assure universal compliance. 


UNDERWRITING DECISIONS BASED ON INFORMATION FROM INDUSTRY 
DATA EXCHANGES 


The Commission found that in life and health underwriting, there is 
less than perfect adherence to the industry’s own rules regarding the use of 
information obtained from the Medical Information Bureau. According to 
MIB rules, no adverse underwriting decision is ever supposed to be made 
solely on the basis of an MIB “flag,” but the record clearly indicates that 
efforts to achieve this have been weak and superficial.98 

The problem here, of course, is the same one Recommendation (9) 
addresses, except for the fact that in this case the items of information in 
question are being obtained from an industry data exchange rather than 
from the individual himself, thereby multiplying by two the points at which 
errors could be made. Either the insurer that reports an item to the 
exchange, or the exchange in reporting it to still another company, could 
report it incorrectly. Because the item is only a flag, moreover, it is by its 
very nature without context; that is, it is an incomplete item of information. 
Accordingly, the Commission recommends: 


Recommendation (15): 


That no insurance institution base an adverse underwriting decision, 
in whole or in part, on information about an individual it obtains from 
an insurance-support organization whose primary source of informa- 
tion is insurance institutions or insurance-support organizations; 
however, the insurance institution may base an adverse underwriting 





*8 Testimony of MIB, Insurance Records Hearings, May 19, 1976, pp. 244-54; 274-77. 


A 


CamScanner 


The Insurance Relationship 13 


decision on further information obtained from the original source, 
including another insurance institution. 


This recommendation would apply to the Medical Information 
Bureau and the Impairment Bureau, but not to the loss indexes, since they 
do not supply information for use in underwriting decisions. In addition, the 
recommendation refers only to information about a particular individual 
and, therefore, would not govern the use of information obtained, for 
example, from a rating organization. 

As with Recommendation (14), voluntary compliance with this recom- 
mendation will be facilitated by exercise of the statutory rights proposed in 
Recommendation (13), and also by any action taken by State Insurance 
Commissioners pursuant to their unfair trade practices authority referred to 
in the discussion of Recommendation (14). 


FAIRNESS IN DISCLOSURE 
DISCLOSURES TO INDUSTRY DATA EXCHANGES 


Life insurance companies have had a longstanding practice of 
reporting to the Medical Information Bureau or the Impairment Bureau 
information about an individual’s health, which they have obtained from 
sources other than a licensed medical-care provider, or the individual to 
whom the information pertains. The same has been true of property and 
liability reporting on claimants to the loss indexes. In the case of the MIB 
and the Impairment. Bureau, agents’ reports and reports compiled by 
inspection bureaus, in part on the basis of interviews with neighbors and 
associates, have been a major source of such information. In the Medical 
Information Bureau this material was coded as “medical information” that 
because of source does not meet the requirements of the Fair Credit 
Reporting Act, and “medical information received from a consumer report, 
not confirmed by the proposed insured or a medical facility.”99 

As discussed earlier, this is an area in which the MIB Executive 
Committee took action following the Commission’s hearings on the record- 
keeping practices of insurance institutions and insurance-support organiza- 
tions. The MIB’s action, however, does not affect the existing flow of 
“health status information” into the Impairment Bureau and the loss 
indexes. Moreover, as indicated in its discussion of Recommendation (11), 
the Commission believes that the responsibility for the content of records 
maintained by industry data exchanges is properly placed on the reporting 
insurance institutions, since it is they who control the record-keeping 
policies of the data exchanges. 

__ The chief problem with health status information is its unreliability. It 
is bad enough to be labeled as a pariah by those society considers qualified 
to do so, but it violates all canons of fairness to allow such labels to be 
attached by anyone, regardless of his qualifications. Accordingly, the 
Commission recommends: / 


Pa 


% Submission of MIB, “Offical Code List of Impairments - 1962,” Insurance Records 
Hearings, May 19, 1976, p. 1. 








CamScanner 


214 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


Recommendation (16): 


That Federal law be enacted to provide that no insurance institution 
or insurance-support organization may disclose to another insurance 
institution or insurance-support organization information pertaining 
to an individual’s medical history, diagnosis, condition, treatment, or 
evaluation, even with the explicit authorization of the individual, 
unless the information was obtained directly from a medical-care 
provider, the individual himself, his parent, spouse, or guardian. 


This recommendation should be implemented in connection with 
Recommendation (17) concerning the confidential relationship between an 
individual and an insurance institution or support organization. It would 
become part of the duty of confidentiality owed to an individual by an 
insurer or support organization. Although support organizations like the loss 
indexes have little practical control over the source of medical information 
sent to them, it is expected that insurance institutions, in order to protect 
their own interests in not disclosing medical information in violation of 
subsection (b)(iv) of Recemmendation (17), will establish procedures to 
assure that only medical information obtained from a qualified source is 
communicated to a support organization or to another insurance institution. 


Expectation of Confidentiality 


The Commission’s third policy objective is to establish and define the 
nature of the confidential relationship between an individual and the 
record-keeping institutions with which he can be said to have a relationship. 
A confidential relationship is one in which there is both an explicit 
limitation on the extent to which information generated by the relationship 
can be disclosed to others, and a prior mutual understanding by the parties 
involved as to what that limitation shall be. 

Certain relationships (e.g., doctor-patient, attorney-client) have tradi- 
tionally carried with them legally enforceable expectations of confidentiali- 
ty, at least in particular types of circumstances.!0° These protections, 
moreover, have sprung from the breadth of inquiry and observation on 
which the success of the relationship depends. If one type of relationship 
requires more divulgence and probing than another, the latter, so the 
argument goes, should not be permitted to feed off the former at will. To 
allow that to happen is not only fundamentally unfair; it is also a violation 
of the ethics of the first relationship. 

One sees this problem vividly today in the record-keeping dimensions 
of the doctor-patient relationship. It is present, however, in every area of 
personal-data record keeping where an individual must submit to the 
collection and recording of intimate details about himself in order to obtain 
some benefit or service. Furthermore, as the Commission argues in Chapter 
9, if society is to’solve the problems inherent in the compulsory disclosure of 





100 For a discussion of the doctor-patient testimonial privilege to most medical record- 
keeping situations, see Chapter 7. 


CamScanner 


The Insurance Relationship 215 


information about an individual from one record-keeping relationship to 
another, it must limit the circumstances in which voluntary disclosures are 
permitted at the discretion of the record keeper. Otherwise, there is no point 
in restricting the circumstances under which a government agency, for 
example, may compel a record keeper to produce information it holds in its 
records on an individual. To make such restrictions sensible, as well as to 
assure the individual a role in determining when and to what extent they will 
be suspended, one must first impose a duty of confidentiality on the holder 
of the records. 

With these considerations in mind, the Commission has concluded 
that each insurance institution and insurance-support organization should 
owe a duty of confidentiality to the individual on whom it maintains 
records. The amount, diversity, and character of the information gathered to 
establish and facilitate the insurance relationship is such as to warrant 
establishing such a duty of confidentiality. The insurance relationship, 
moreover, is extraordinarily important to society. Like the credit, deposi- 
tory, and medical-care relationships considered in other chapters of this 
report, it is one that is increasingly difficult for an individual to avoid. Yet 
the relationship cannot be maintained successfully if it is perceived as being 
inherently unfair or as disregarding the legitimate interests of the individuals 
who enter into it. 

Currently, insurance institutions and their support organizations 
voluntarily assume some ethical responsibility for the confidentiality of the 
information they maintain on individuals. However, they do not uniformly 
respect the individual’s legitimate desire to limit the disclosures they make 
about him, nor are they able to defend the integrity of their record-keeping 
relationships with individuals against certain demands made on them by 
extraneous parties. Thus, to create and define obligations with respect to the 
uses and disclosures that may be made of records about individuals, 
legitimate patterns of information-sharing within the industry and threshold 
conditions for the disclosure of such records to outsiders must be 
established. 

Accordingly, the Commission recommends: 


Recommendation (17): 


That Federal law be enacted to provide that each insurance institution 
and insurance-support organization be considered to owe a duty of 
confidentiality to any individual about whom it collects or receives 
information in connection with an insurance transaction, and that 
therefore, no insurance institution or support organization si:ould 
disclose, or be required to disclose, in individually identifiable form, 
any information about any such individual without the individual’s 
explicit authorization, unless the disclosure would be: 


(a) to a physician for the purpose of informing the individual of a 
medical problem of which the individual may not be aware; 

(b) from an insurance institution to a reinsurer or co-insurer, or to _ 
an agent or contractor of the insurance institution, including a 


6859 CamScanner 


216 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


sales person, independent claims adjuster, or insurance investi- 

gator, or to an insurance-support organization whose sole 

source of information is insurance institutions, or to any other 
party-in-interest to the insurance transaction, provided: 

(i) that only such information is disclosed as is necessary for 
such reinsurer, co-insurer, agent, contractor, insurance- 
support organization, or other party-in-interest to perform 
its function with regard to the individual or the insurance 
transaction; 

(ii) that such reinsurer, co-insurer, agent, contractor, insur- 
ance-support organization or other party-in-interest is 
prohibited from redisclosing the information without the 
authorization of the individual except, in the case of 
insurance institutions and insurance-support organiza- 
tions, as otherwise provided in this recommendation; and 

(iii) that the individual, if other than a third-party claimant, is 
notified at least initially concurrent with the application 
that such disclosure may be made and can find out if in 
fact it has been made; and 

(iv) that in no instance shall information pertaining to an 
individual’s medical history, diagnosis, condition, treat- 
ment, or evaluation be disclosed, even with the explicit 
authorization of the individual, unless the information was 
obtained directly from a medical-care provider, the 
individual himself, or his parent, spouse, or guardian; 

(c) from an insurance-support organization whose sole source of 
information is insurance institutions or self-insurers to an 
insurance institution or self-insurer, provided: 

(i) that the sole function of the insurance-support organiza- 

_ tion is the detection or prevention of insurance fraud in 
connection with claim settlements; 

(ii) that, if disclosed to a self-insurer, the self-insurer assumes 
the same duty of confidentiality with regard to that 
information which is required of insurance institutions 
and insurance-support organizations; and. 

(iii) that any insurance institution or self-insurer that receives 
information from any such insurance-support organization 
is prohibited from using such information for other than 
claim purposes; 

(d) to the insurance regulator of a State or its agent or contractor, 
for an insurance regulatory purpose statutorily authorized by 
the State; 

(e) toalaw enforcement authority: 

(i) to protect the legal interest of the insurer, reinsurer, co- 

‘insurer, agent, contractor, or other party-in-interest to 
prevent and to prosecute the perpetration of fraud upon 
them; or 

(ii) when the insurance institution or insurance-support 


wi 


CamScanner 





The Insurance Relationship 17 


organization has a reasonable belief of illegal activities on 
the part of the individual; 
(f) pursuant to a Federal, State, or local compulsory reporting 
statute or regulation; 
(g) in response to a lawfully issued administrative summons or 
judicial order, including a search warrant or subpoena. 


In contrast to the corresponding recommendations with respect to 
credit grantors and depository institutions, wherein interpretative responsi- 
bilities would be assigned to existing regulatory authorities, the Commission 
recommends that the responsibility for enforcing the confidentiality duties 
of insurance institutions and support organizations be left exclusively to the 
aggrieved individual. The information flows in and out of the insurance 
industry, while extensive in some areas, appear less dynamic and thus less 
prone to change than those in the credit area, for example. Asa result, there 
is less need for flexibility in establishing their legitimacy; that is, there is no 
need for an interpretative rule-making function. 

The provisions of the recommended statute, however, should be 
explicitly drawn to allow an individual to sue an insurance institution or 
support organization and to obtain actual damages for negligent disclosures 
that violate the duty of confidentiality, even if there is no showing of an 
intentional or willful violation. Where an intentional or willful violation of 
the duty of confidentiality is established, the individual should, in addition 
to actual damages and court costs, including reasonable attorney’s fees, be 
entitled to general damages of a minimum of $1,000 and a maximum of 
$10,000. A defense available to the defendant charged with negligent 
disclosure would be that it had established reasonable procedures and 
exercised reasonable care to implement and enforce those procedures in 
attempting to protect the interests of the individual. Where it could not meet 
such a test, the insurance institution or support organization would then be 
subject to actual damages and court costs, including legal fees, for any 
violations. 

The statute should also make clear that subsection (b)(iii) would not 
apply to any record about an individual compiled in reasonable anticipation 
of a civil or criminal action, or for use in settling a claim while the claim 
remains unsettled. After the claim is settled, moreover, subsection (b)(iii) 
would not apply to any record compiled in relation to a claimant who is not 
an insured or policyowner (i.e., a third-party claimant), except as to any 
portion of such record that is disseminated or used for a purpose unrelated 
to processing the claim. 

The first premise of the proposed statutory duty is that no record 
should be disclosed by an insurance institution or support organization 
without the authorization of the individual to whom it pertains. The 
Commission would expect, moreover, that the authorization statement used 
would be specific as to the information proposed to be furnished, to whom, 
and for what purpose. Nonetheless, as in other areas, the Commission has 
recognized the need to allow certain types of disclosures to occur without 
the individual’s authorization. These exceptions can be divided into three 
_ Categories: w 


CamScanner 


218 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


° disclosures to protect the individual; 

° disclosures the insurance institution or support organization 
must make in order to perform duties inherent in the 
insurance relationship or to protect itself from failure by the 
individual to meet the terms of the relationship; and 

° disclosures to governmental authorities. 


Subsection (a) of the recommendation falls into the first category. It 
permits disclosure without authorization to a physician for the purpose of 
informing the individual of a medical problem about which he may be 
unaware, and which an insurance institution or support organization may be 
reluctant to disclose to him directly. Making an exception for such situations 
seems justified by the benefit to the individual and by the minimal risk to 
personal privacy it involves, since the physician also stands in a confidential 
relationship to the individual. 

The’ second category of exceptions concerns disclosures consistent 
with the insurer’s rights and duties in its relationship with the insurance 
consumer. The duty of confidentiality, primarily for the benefit of the latter, 
should not unfairly burden the insurer’s ability to fulfill its part of the 
bargain or to protect its own interests. By the mere fact of applying for 
insurance, maintaining a policy, or presenting a claim, the individual 
authorizes the insurer to perform certain functions. Thus, under subsection 


. (b) of the Commission’s recommendation, no authorization is required for 


disclosures to reinsurers, co-insurers, agents, contractors, insurance-support 
organizations, or any other party-in-interest, when disclosure is necessary 
for that person to perform a function concerned with the insurer’s 
relationship with the insured. The insured should nonetheless be notified 
(see Recommendation (5)) that such disclosures may be made and should be 
able to find out whether or not they have, in fact, been made (see 
Recommendation (10)). 

In many cases, individually identifiable information is provided by an 
insurer to one or more other insurers who act as reinsurers of the first. The 
individual whose insurance policy is reinsured has no legal relationship with 
the reinsurer. The only party who has a contractual relationship with the 
insured is the insurer from whom the individual purchased the policy. 
Reinsurance is common within the insurance industry, and sometimes 
involves the transfer of individually identifiable information. Currently, 
however, the individual has no knowledge of this type of disclosure. 

It would serve no purpose to require an applicant to expressly 
authorize the dissemination of information about him to a reinsurer. The 
individual who refused to authorize the disclosure would simply be denied 
the insuranze. The reinsurer, moreover, would have the same duty of 
confidentiality as the original insurer and be subject to the same require- 
ments for holding information in confidence. 

The reinsurance situation is similar to other party-in-interest situations 
in which the Commission believes individual authorization should not be 
required for information disclosure. For example, the amount of one 
insurer’s claim payment may be related to another’s payment. In this case, 
where a pro-rata liability or other coordination of benefits clause exists, each 


CamScanner 


: The Insurance Relationship : 219 





insurer must be considered a co-insurer and should, therefore, be allowed to 
share necessary information, subject to the same restrictions as to notice and 
confidentiality outlined above. Other exceptions based on the party-in- 
interest concept would include cases involving subrogation,'°! as well as 
cases involving insurers who were potentially being defrauded by the same 
person. 
All parties-in-interest referred to in subsection (b) would either already 
be bound by or would assume the same duty of confidentiality as the 
provider of the information—that is, they would not be permitted to 
redisclose the information without the individual’s authorization, unless, in 
the case of any party-in-interest that is an insurance institution or insurance- 
‘support organization, the disclosure would be otherwise authorized under 
this recommendation. Only information necessary for the recipient to 
erform its function should be disclosed. Thus, for example, an independent 
claims adjuster should only be given the information needed to properly 
settle a claim. As already noted, subsection (b)(iii), which requires notice and 
a way for an individual to find out whether a particular disclosure had been 
made, would not apply to cases expected to involve litigation or to claims 
situations. Subsection (b)(iv) incorporates Recommendation (16) as the 
Commission urged that it should, above. 

One special concern of insurance institutions and insurance-support 
organizations is to detect and deter fraud. Privacy requirements should not 
be used to restrict an insurer’s capacity to protect its interests, especially 
where fraud may be involved. Thus, no authorization is required under 
subsection (b) for the disclosure of information to the Insurance Crime 
Prevention Institute or other support organizations that operate as surro- 
gates of the insurer in seeking to prevent fraud. Authorization is also not 
needed for disclosure to one of the loss indexes or other insurers when the 
purpose is to deter and detect insurance fraud. Conversely, subsection (c) 
could allow the loss indexes to continue to disseminate information to their 
subscribers without individual authorization. To require otherwise would be 
tantamount to destroying the loss indexes, since those intent on fraud would 
naturally refuse to agree to the disclosure. 

Currently, “self-insurers” may subscribe to the loss indexes. These 
subscribers are neither insurance institutions nor insurance-support organi- 
zations within the Commission’s or insurance regulatory officials’ defini- 
tions. They are companies and governments that have chosen to retain some 
or all of their exposure to loss rather than to transfer it to an insurer. Since 
they are not insurance institutions or insurance-support organizations, they 
are not subject to the Commission’s recommendations on such organiza- 
tions. Nevertheless, the information from the loss indexes may continue to 
flow to self-insurers and should, therefore, be subject to a duty of 
confidentiality as provided in subsection (c)(ii). 

The third category of exceptions concerns disclosures to government. 

e Commission is aware that, for public policy reasons, information must 
be disclosed by insurance industry parties to law enforcement officials under 


——— 
= Subrogation is the substitution of one party in place of another with reference to a lawfi1! 
Claim or right. 


a“ 


< 


rd 


689 CamScanner 


220 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


certain circumstances. Such disclosures would be permitted, provided they 
comply with the Commission’s recommendations regarding government 
access to private-sector records, explained in Chapter 9. ae 

One voluntary disclosure that is permitted without an authorization is 
to law enforcement officials when an insurance institution or insurance- 
support organization reasonably concludes, from information generated in 
its relationship with him, that an individual has violated the law or is 
suspected of fraud in connection with the insurance coverage. Certainly in 
this instance, the insurer should not be required to get the authorization of 
the individual. 

Furthermore, insurance institutions are required to release informa- 
tion to State insurance departments which regulate the insurance industry, 
Insurance institutions and insurance-support organizations must also 
respond to Federal, State, and local compulsory reporting statutes and 
regulations. They have no choice but to disclose information when required 
by government under these circumstances. A requirement of authorization 
by the individual would be meaningless. The Commission recognizes, 
however, that insurance institutions, like other record keepers, should have 
some obligation to inform an individual that information will be routinely 
reported to government. Finally, insurance institutions and support organi- 
zations must respond to a lawfully issued administrative summons or 
Judicial order, such as a subpoena or search warrant. While they have no 
choice but to comply with such legal process, and while the primary 
obligation to assure protection of an individual’s rights should rest with 
government, as explored in Chapter 9, the insurance record keeper has 
certain responsibilities—primarily to assure the facial validity of the 
particular form of compulsory process~served on it, and to limit its 
compliance to the specific terms of the order. If, for example, a subpoena 
requires disclosure of information on a certain date, an insurance institution 
or support organization should not disclose until that date. Restricted 
response of this type will permit the individual whose records were sought to 
exercise those rights the Commission recommends be granted in the context 
of government access. 


* * * * * * * 


Insurance protection is vital to most Americans. Much personal 
information is provided or developed through the process of providing 
needed insurance protection, properly pricing it, and in servicing insurance 
contracts, including the investigation and settlement of claims. The 
Commission believes that the recommendations in this chapter respect this 
need for information and strengthen the relationship between insured and 
insurer while promoting its three public-policy objectives. 


6859 CamScanner 


The Insurance Relationship 221 


GLOSSARY OF TERMS 
Individual: 


any natural person who is a past, present, or proposed named or 
principal insured (including any principal insured under a family or 
group policy or similar arrangement of coverage for a person in a 
group), policyowner, or past or present claimant. 


Insurance Institution: 


an insurance company (including so-called service plans like Blue 
Cross and Blue Shield and any other similar service plan), 
regardless of type of insurance written or organizational form, 
including insurance company regional, branch, sales, or service 
offices (or divisions or insurance affiliates), or insurance company 
solicitors; or agents and brokers. 


Insurance-Support Organizations: 


an organization which regularly engages in whole or in part in the 
practice of assembling or evaluating information on individuals for 
the purpose of providing such information or evaluation to 
insurance institutions for insurance purposes. 


Insurance Transaction: 


whenever a decision (be it adverse or otherwise) is rendered 
regarding an individual's eligibility for an insurance benefit or 
service. 


Adverse Underwriting Decision: 


(1) with respect to life and health insurance, a denial of requested 
insurance coverage (except claims) in whole or in part, or an 
offer to insure at other than standard rates; and with respect 
to all other kinds of insurance, a denial of requested coverage 
(except claims) in whole or in part, or a rating which is based 
on information which differs from that which the individual 
furnished; 

(2) arefusal to renew insurance coverage in whole or in part; or 

(3) acancellation of any insurance coverage in whole or in part. 


Institutional Source: 


an institutional source is any person who provides information as 
part of his employment or any other connection with an insurance 
institution. 


Medical-Record Information: 


information relating to an individual’s medical history, diagnosis, 
condition, treatment, or evaluation obtained from a medical-care 
provider, from the individual himself, or from his spouse, parent, or 


89 CamScanner 


222 PERSONAL PRIVACY IN AN INFORMATION SOCIETY 


guardian for the purpose of making a non-medical decision (e.g., an 
underwriting decision) about the individual. 


Medical-Care Provider: 
a medical professional or medical-care institution. 


Medical Professional: 


any person licensed or certified to provide medical services to 

individuals, including but not limited to, a physician, dentist, nurse, 

optometrist, physical or occupational therapist, psychiatric social 
_ worker, clinical dietitian, or clinical psychologist. 


Medical-Care Institution: 


any facility or institution that is licensed to provide medical-care 
services to individuals, including, but not limited to, hospitals, 
skilled nursing facilities, home-health agencies, clinics, rehabilita- 


tion agencies, and public-health agencies or health-maintenance 
organizations (HMO’s). 


689 CamScanner 


